CWE-384
Session Fixation
CompoundIncomplete
Description
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-196 · CAPEC-21 · CAPEC-31 · CAPEC-39 · CAPEC-59 · CAPEC-60 · CAPEC-61
CVEs mapped to this weakness (79)
page 2 of 4| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-1000150 | Hig | 0.57 | 8.8 | 0.00 | Nov 3, 2017 | Mahara 15.04 before 15.04.7 and 15.10 before 15.10.3 are vulnerable to prevent session IDs from being regenerated on login or logout. This makes users of the site more vulnerable to session fixation attacks. | |
| CVE-2017-14163 | Hig | 0.57 | 8.8 | 0.00 | Oct 31, 2017 | An issue was discovered in Mahara before 15.04.14, 16.x before 16.04.8, 16.10.x before 16.10.5, and 17.x before 17.04.3. When one closes the browser without logging out of Mahara, the value in the usr_session table is not removed. If someone were to open a browser, visit the Mahara site, and adjust the 'mahara' cookie to the old value, they can get access to the user's account. | |
| CVE-2017-11191 | Hig | 0.57 | 8.8 | 0.00 | Sep 28, 2017 | FreeIPA 4.x with API version 2.213 allows a remote authenticated users to bypass intended account-locking restrictions via an unlock action with an old session ID (for the same user account) that had been created for an earlier session. NOTE: Vendor states that issue does not exist in product and does not recognize this report as a valid security concern | |
| CVE-2017-12873 | Cri | 0.57 | 9.8 | 0.01 | Sep 1, 2017 | SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured. | |
| CVE-2017-12868 | Cri | 0.57 | 9.8 | 0.01 | Sep 1, 2017 | The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation. | |
| CVE-2017-6412 | Hig | 0.56 | 8.1 | 0.01 | Mar 30, 2017 | In Sophos Web Appliance (SWA) before 4.3.1.2, Session Fixation could occur, aka NSWA-1310. | |
| CVE-2017-14263 | Hig | 0.55 | 8.1 | 0.24 | Sep 11, 2017 | Honeywell NVR devices allow remote attackers to create a user account in the admin group by leveraging access to a guest account to obtain a session ID, and then sending that session ID in a userManager.addUser request to the /RPC2 URI. The attacker can login to the device with that new user account to fully control the device. | |
| CVE-2025-0126 | Hig | 0.54 | — | 0.00 | Apr 11, 2025 | When configured using SAML, a session fixation vulnerability in the GlobalProtect™ login enables an attacker to impersonate a legitimate authorized user and perform actions as that GlobalProtect user. This requires the legitimate user to first click on a malicious link provided by the attacker. The SAML login for the PAN-OS® management interface is not affected. Additionally, this issue does not affect Cloud NGFW and all Prisma® Access instances are proactively patched. | |
| CVE-2026-30808 | Hig | 0.53 | 8.1 | 0.00 | May 12, 2026 | Session Fixation vulnerability allows Session Hijacking via crafted session ID. This issue affects Pandora FMS: from 777 through 800 | |
| CVE-2025-71057 | Hig | 0.53 | 8.2 | 0.00 | Feb 26, 2026 | Improper session management in D-Link Wireless N 300 ADSL2+ Modem Router DSL-124 ME_1.00 allows attackers to execute a session hijacking attack via spoofing the IP address of an authenticated user. | |
| CVE-2025-42602 | Hig | 0.53 | — | 0.01 | Apr 23, 2025 | This vulnerability exists in Meon KYC solutions due to improper handling of access and refresh tokens in certain API endpoints of authentication process. A remote attacker could exploit this vulnerability by intercepting and manipulating the responses through API request body leading to unauthorized access of other user accounts. | |
| CVE-2016-9981 | Hig | 0.53 | 8.1 | 0.00 | Aug 2, 2017 | IBM AppScan Enterprise Edition 9.0 contains an unspecified vulnerability that could allow an attacker to hijack a valid user's session. IBM X-Force ID: 120257 | |
| CVE-2016-8638 | Cri | 0.53 | 9.1 | 0.07 | Jul 12, 2017 | A vulnerability in ipsilon 2.0 before 2.0.2, 1.2 before 1.2.1, 1.1 before 1.1.2, and 1.0 before 1.0.3 was found that allows attacker to log out active sessions of other users. This issue is related to how it tracks sessions, and allows an unauthenticated attacker to view and terminate active sessions from other users. It is also called a "SAML2 multi-session vulnerability." | |
| CVE-2017-4963 | Hig | 0.53 | 8.1 | 0.00 | Jun 13, 2017 | An issue was discovered in Cloud Foundry Foundation Cloud Foundry release v252 and earlier versions, UAA stand-alone release v2.0.0 - v2.7.4.12 & v3.0.0 - v3.11.0, and UAA bosh release v26 & earlier versions. UAA is vulnerable to session fixation when configured to authenticate against external SAML or OpenID Connect based identity providers. | |
| CVE-2016-0721 | Hig | 0.53 | 8.1 | 0.00 | Apr 21, 2017 | Session fixation vulnerability in pcsd in pcs before 0.9.157. | |
| CVE-2017-4014 | Hig | 0.52 | 8.0 | 0.00 | May 17, 2017 | Session Side jacking vulnerability in the server in McAfee Network Data Loss Prevention (NDLP) 9.3.x allows remote authenticated users to view, add, and remove users via modification of the HTTP request. | |
| CVE-2024-22250 | Hig | 0.51 | 7.8 | 0.00 | Feb 20, 2024 | Session Hijack vulnerability in Deprecated VMware Enhanced Authentication Plug-in could allow a malicious actor with unprivileged local access to a windows operating system can hijack a privileged EAP session when initiated by a privileged domain user on the same system. | |
| CVE-2016-10205 | Hig | 0.48 | 7.3 | 0.01 | Mar 3, 2017 | Session fixation vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack web sessions via the ZMSESSID cookie. | |
| CVE-2026-2177 | Hig | 0.47 | 7.3 | 0.00 | Feb 8, 2026 | A vulnerability has been found in SourceCodester Prison Management System 1.0. The impacted element is an unknown function of the component Login. The manipulation leads to session fixiation. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |
| CVE-2024-56529 | Hig | 0.46 | 7.1 | 0.00 | Jan 28, 2025 | Mailcow through 2024-11b has a session fixation vulnerability in the web panel. It allows remote attackers to set a session identifier when HSTS is disabled on a victim's browser. After a user logs in, they are authenticated and the session identifier is valid. Then, a remote attacker can access the victim's web panel with the same session identifier. |