VYPR

CWE-384

Session Fixation

CompoundIncomplete

Description

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-196 · CAPEC-21 · CAPEC-31 · CAPEC-39 · CAPEC-59 · CAPEC-60 · CAPEC-61

CVEs mapped to this weakness (205)

page 2 of 11
  • CVE-2026-41613HigMay 12, 2026
    risk 0.57cvss 8.8epss 0.01

    Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.

  • CVE-2026-25101CriMar 27, 2026
    risk 0.57cvss 9.8epss 0.00

    Bludit allows user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behavior enables an attacker to fix a session ID for a victim and later hijack the authenticated session. This issue was fixed in…

  • CVE-2026-22082HigJan 9, 2026
    risk 0.57cvss epss 0.00

    This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the use of login credentials as the session ID through its web-based administrative interface. A remote attacker could exploit this vulnerability by intercepting…

  • CVE-2025-10228HigOct 14, 2025
    risk 0.57cvss 8.8epss 0.00

    Session Fixation vulnerability in Rolantis Information Technologies Agentis allows Session Hijacking. This issue affects Agentis: before 4.44.

  • CVE-2024-13967HigJun 4, 2025
    risk 0.57cvss 8.8epss 0.00

    This vulnerability allows the successful attacker to gain unauthorized access to a configuration web page delivered by the integrated web Server of EIBPORT. This issue affects EIBPORT V3 KNX: through 3.9.8; EIBPORT V3 KNX GSM: through 3.9.8.

  • CVE-2024-45368HigSep 13, 2024
    risk 0.57cvss 8.8epss 0.00

    The H2-DM1E PLC's authentication protocol appears to utilize either a custom encoding scheme or a challenge-response protocol. However, there's an observed anomaly in the H2-DM1E PLC's protocol execution, namely its acceptance of multiple distinct packets as valid authentication…

  • CVE-2018-9082HigSep 28, 2018
    risk 0.57cvss 8.8epss 0.01

    For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the password changing functionality available to authenticated users does not require the user's current password to set a new one. As a result, attackers with access to the user's session tokens…

  • CVE-2018-8852HigSep 26, 2018
    risk 0.57cvss 8.8epss 0.02

    Philips e-Alert Unit (non-medical device), Version R2.1 and prior. When authenticating a user or otherwise establishing a new user session, the software gives an attacker the opportunity to steal authenticated sessions without invalidating any existing session identifier.

  • CVE-2018-12538HigJun 22, 2018
    risk 0.57cvss 8.8epss 0.03

    In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the…

  • CVE-2018-12071CriJun 17, 2018
    risk 0.57cvss 9.8epss 0.01

    A Session Fixation issue exists in CodeIgniter before 3.1.9 because session.use_strict_mode in the Session Library was mishandled.

  • CVE-2018-11571HigMay 31, 2018
    risk 0.57cvss 8.8epss 0.01

    ClipperCMS 1.3.3 allows Session Fixation.

  • CVE-2018-5465HigMar 6, 2018
    risk 0.57cvss 8.8epss 0.02

    A Session Fixation issue was discovered in Belden Hirschmann RS, RSR, RSB, MACH100, MACH1000, MACH4000, MS, and OCTOPUS Classic Platform Switches. A session fixation vulnerability in the web interface has been identified, which may allow an attacker to hijack web sessions.

  • CVE-2017-11562HigDec 19, 2017
    risk 0.57cvss 8.8epss 0.01

    A Session Fixation Vulnerability exists in the MT4 Networks SenhaSegura Web Application 2.2.23.8 via login_if.php.

  • CVE-2017-1000150HigNov 3, 2017
    risk 0.57cvss 8.8epss 0.01

    Mahara 15.04 before 15.04.7 and 15.10 before 15.10.3 are vulnerable to prevent session IDs from being regenerated on login or logout. This makes users of the site more vulnerable to session fixation attacks.

  • CVE-2017-14163HigOct 31, 2017
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in Mahara before 15.04.14, 16.x before 16.04.8, 16.10.x before 16.10.5, and 17.x before 17.04.3. When one closes the browser without logging out of Mahara, the value in the usr_session table is not removed. If someone were to open a browser, visit the…

  • CVE-2017-11191HigSep 28, 2017
    risk 0.57cvss 8.8epss 0.02

    FreeIPA 4.x with API version 2.213 allows a remote authenticated users to bypass intended account-locking restrictions via an unlock action with an old session ID (for the same user account) that had been created for an earlier session. NOTE: Vendor states that issue does not…

  • CVE-2017-12873CriSep 1, 2017
    risk 0.57cvss 9.8epss 0.02

    SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured.

  • CVE-2017-12868CriSep 1, 2017
    risk 0.57cvss 9.8epss 0.02

    The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR…

  • CVE-2017-6412HigMar 30, 2017
    risk 0.56cvss 8.1epss 0.08

    In Sophos Web Appliance (SWA) before 4.3.1.2, Session Fixation could occur, aka NSWA-1310.

  • CVE-2025-0126HigApr 11, 2025
    risk 0.54cvss epss 0.00

    When configured using SAML, a session fixation vulnerability in the GlobalProtect™ login enables an attacker to impersonate a legitimate authorized user and perform actions as that GlobalProtect user. This requires the legitimate user to first click on a malicious link…