VYPR

CWE-384

Session Fixation

CompoundIncomplete

Description

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-196 · CAPEC-21 · CAPEC-31 · CAPEC-39 · CAPEC-59 · CAPEC-60 · CAPEC-61

CVEs mapped to this weakness (205)

page 3 of 11
  • CVE-2026-44553HigMay 15, 2026
    risk 0.53cvss 8.1epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, administrative role changes and user deletions do not iterate SESSION_POOL to disconnect affected sessions. As a result, a user whose admin role has been revoked…

  • CVE-2026-30808HigMay 12, 2026
    risk 0.53cvss 8.1epss 0.00

    Session Fixation vulnerability allows Session Hijacking via crafted session ID. This issue affects Pandora FMS: from 777 through 800

  • CVE-2025-71057HigFeb 26, 2026
    risk 0.53cvss 8.2epss 0.00

    Improper session management in D-Link Wireless N 300 ADSL2+ Modem Router DSL-124 ME_1.00 allows attackers to execute a session hijacking attack via spoofing the IP address of an authenticated user.

  • CVE-2025-42602HigApr 23, 2025
    risk 0.53cvss epss 0.00

    This vulnerability exists in Meon KYC solutions due to improper handling of access and refresh tokens in certain API endpoints of authentication process. A remote attacker could exploit this vulnerability by intercepting and manipulating the responses through API request body…

  • CVE-2018-10252HigMay 14, 2018
    risk 0.53cvss 8.1epss 0.01

    An issue was discovered on Actiontec WCB6200Q before 1.1.10.20a devices. The admin login session cookie is insecurely generated making admin session hijacking possible. When an admin logs in, a session cookie is generated using the time of day rounded to 10ms. Since the web…

  • CVE-2018-0564HigApr 20, 2018
    risk 0.53cvss 8.1epss 0.02

    Session fixation vulnerability in EC-CUBE (EC-CUBE 3.0.0, EC-CUBE 3.0.1, EC-CUBE 3.0.2, EC-CUBE 3.0.3, EC-CUBE 3..4, EC-CUBE 3.0.5, EC-CUBE 3.0.6, EC-CUBE 3.0.7, EC-CUBE 3.0.8, EC-CUBE 3.0.9, EC-CUBE 3.0.10, EC-CUBE 3.0.11, EC-CUBE 3.0.12, EC-CUBE 3.0.12-p1, EC-CUBE 3.0.13,…

  • CVE-2017-14263HigSep 11, 2017
    risk 0.53cvss 8.1epss 0.04

    Honeywell NVR devices allow remote attackers to create a user account in the admin group by leveraging access to a guest account to obtain a session ID, and then sending that session ID in a userManager.addUser request to the /RPC2 URI. The attacker can login to the device with…

  • CVE-2016-9981HigAug 2, 2017
    risk 0.53cvss 8.1epss 0.01

    IBM AppScan Enterprise Edition 9.0 contains an unspecified vulnerability that could allow an attacker to hijack a valid user's session. IBM X-Force ID: 120257

  • CVE-2017-4963HigJun 13, 2017
    risk 0.53cvss 8.1epss 0.01

    An issue was discovered in Cloud Foundry Foundation Cloud Foundry release v252 and earlier versions, UAA stand-alone release v2.0.0 - v2.7.4.12 & v3.0.0 - v3.11.0, and UAA bosh release v26 & earlier versions. UAA is vulnerable to session fixation when configured to authenticate…

  • CVE-2009-10007CriJun 9, 2026
    risk 0.52cvss 9.1epss 0.00

    Catalyst::Plugin::Authentication versions before 0.10_027 for Perl is susceptible to session fixation attacks. Catalyst::Plugin::Authentication does not automatically change the session id after authentication. An attacker that obtains a session id cookie can use this to…

  • CVE-2018-11475HigMay 25, 2018
    risk 0.52cvss 8.0epss 0.01

    Monstra CMS 3.0.4 has a Session Management Issue in the Users tab. A password change at users/1/edit does not invalidate a session that is open in a different browser.

  • CVE-2018-11474HigMay 25, 2018
    risk 0.52cvss 8.0epss 0.01

    Monstra CMS 3.0.4 has a Session Management Issue in the Administrations Tab. A password change at admin/index.php?id=users&action=edit&user_id=1 does not invalidate a session that is open in a different browser.

  • CVE-2016-8638CriJul 12, 2017
    risk 0.52cvss 9.1epss 0.02

    A vulnerability in ipsilon 2.0 before 2.0.2, 1.2 before 1.2.1, 1.1 before 1.1.2, and 1.0 before 1.0.3 was found that allows attacker to log out active sessions of other users. This issue is related to how it tracks sessions, and allows an unauthenticated attacker to view and…

  • CVE-2017-4014HigMay 17, 2017
    risk 0.52cvss 8.0epss 0.01

    Session Side jacking vulnerability in the server in McAfee Network Data Loss Prevention (NDLP) 9.3.x allows remote authenticated users to view, add, and remove users via modification of the HTTP request.

  • CVE-2024-22250HigFeb 20, 2024
    risk 0.51cvss 7.8epss 0.00

    Session Hijack vulnerability in Deprecated VMware Enhanced Authentication Plug-in could allow a malicious actor with unprivileged local access to a windows operating system can hijack a privileged EAP session when initiated by a privileged domain user on the same system.

  • CVE-2018-14387HigJul 18, 2018
    risk 0.50cvss 8.8epss 0.02

    An issue was discovered in WonderCMS before 2.5.2. An attacker can create a new session on a web application and record the associated session identifier. The attacker then causes the victim to authenticate against the server using the same session identifier. The attacker can…

  • CVE-2018-9026HigJun 18, 2018
    risk 0.49cvss 7.5epss 0.01

    A session fixation vulnerability in CA Privileged Access Manager 2.x allows remote attackers to hijack user sessions with a specially crafted request.

  • CVE-2017-3968HigJun 13, 2018
    risk 0.49cvss 7.5epss 0.01

    Session fixation vulnerability in the web interface in McAfee Network Security Manager (NSM) before 8.2.7.42.2 and McAfee Network Data Loss Prevention (NDLP) before 9.3.4.1.5 allows remote attackers to disclose sensitive information or manipulate the database via a crafted…

  • CVE-2013-2049HigMay 1, 2018
    risk 0.49cvss 7.5epss 0.01

    Red Hat CloudForms 2 Management Engine (CFME) allows remote attackers to conduct session tampering attacks by leveraging use of a static secret_token.rb secret.

  • CVE-2017-18125HigApr 11, 2018
    risk 0.49cvss 7.5epss 0.01

    In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile and Snapdragon Wear MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 835, SD 845, SD 850, when secure camera is activated it stores captured data in protected buffers. The TEE application which…