VYPR

CWE-384

Session Fixation

CompoundIncomplete

Description

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-196 · CAPEC-21 · CAPEC-31 · CAPEC-39 · CAPEC-59 · CAPEC-60 · CAPEC-61

CVEs mapped to this weakness (205)

page 11 of 11
  • CVE-2007-5380Oct 19, 2007
    risk 0.00cvss epss 0.04

    Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to "URL-based sessions."

  • CVE-2007-4188Aug 8, 2007
    risk 0.00cvss epss 0.04

    Session fixation vulnerability in Joomla! before 1.0.13 (aka Sunglow) allows remote attackers to hijack administrative web sessions via unspecified vectors.

  • CVE-2001-1534Dec 31, 2001
    risk 0.00cvss epss 0.01

    mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for…

  • CVE-1999-0428Mar 22, 1999
    risk 0.00cvss epss 0.03

    OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls.

  • risk 0.00cvss epss 0.01

    Apache IoTDB version 0.13.0 is vulnerable by session id attack. Users should upgrade to version 0.13.1 which addresses this issue.