VYPR

CWE-384

Session Fixation

CompoundIncomplete

Description

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-196 · CAPEC-21 · CAPEC-31 · CAPEC-39 · CAPEC-59 · CAPEC-60 · CAPEC-61

CVEs mapped to this weakness (205)

page 4 of 11
  • CVE-2018-2408HigApr 10, 2018
    risk 0.48cvss 7.3epss 0.02

    Improper Session Management in SAP Business Objects, 4.0, from 4.10, from 4.20, 4.30, CMC/BI Launchpad/Fiorified BI Launchpad. In case of password change for a user, all other active sessions created using older password continues to be active.

  • CVE-2016-10205HigMar 3, 2017
    risk 0.48cvss 7.3epss 0.01

    Session fixation vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack web sessions via the ZMSESSID cookie.

  • CVE-2026-2177HigFeb 8, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability has been found in SourceCodester Prison Management System 1.0. The impacted element is an unknown function of the component Login. The manipulation leads to session fixiation. It is possible to initiate the attack remotely. The exploit has been disclosed to the…

  • CVE-2024-56529HigJan 28, 2025
    risk 0.46cvss 7.1epss 0.00

    Mailcow through 2024-11b has a session fixation vulnerability in the web panel. It allows remote attackers to set a session identifier when HSTS is disabled on a victim's browser. After a user logs in, they are authenticated and the session identifier is valid. Then, a remote…

  • CVE-2018-11385HigJun 13, 2018
    risk 0.46cvss 8.1epss 0.02

    An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. A session fixation vulnerability within the "Guard" login feature may allow an attacker to impersonate a…

  • CVE-2016-0721HigApr 21, 2017
    risk 0.46cvss 8.1epss 0.02

    Session fixation vulnerability in pcsd in pcs before 0.9.157.

  • CVE-2016-6043HigFeb 1, 2017
    risk 0.46cvss 7.0epss 0.00

    Tivoli Storage Manager Operations Center could allow a local user to take over a previously logged in user due to session expiration not being enforced.

  • CVE-2025-26658MedMar 11, 2025
    risk 0.44cvss 6.8epss 0.00

    The Service Layer in SAP Business One, allows attackers to potentially gain unauthorized access and impersonate other users in the application to perform unauthorized actions. Due to the improper session management, the attackers can elevate themselves to higher privilege and…

  • CVE-2018-0229MedApr 19, 2018
    risk 0.43cvss 6.5epss 0.04

    A vulnerability in the implementation of Security Assertion Markup Language (SAML) Single Sign-On (SSO) authentication for Cisco AnyConnect Secure Mobility Client for Desktop Platforms, Cisco Adaptive Security Appliance (ASA) Software, and Cisco Firepower Threat Defense (FTD)…

  • CVE-2026-43827MedMay 25, 2026
    risk 0.42cvss 6.5epss 0.00

    Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions,…

  • CVE-2026-31940HigApr 10, 2026
    risk 0.42cvss 7.5epss 0.00

    Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, in main/lp/aicc_hacp.php, user-controlled request parameters are directly used to set the PHP session ID before loading global bootstrap. This leads to session fixation. This vulnerability is fixed in…

  • CVE-2018-1148MedMay 18, 2018
    risk 0.42cvss 6.5epss 0.01

    In Nessus before 7.1.0, Session Fixation exists due to insufficient session management within the application. An authenticated attacker could maintain system access due to session fixation after a user password change.

  • CVE-2017-12225MedSep 7, 2017
    risk 0.42cvss 6.5epss 0.02

    A vulnerability in the web functionality of the Cisco Prime LAN Management Solution could allow an authenticated, remote attacker to hijack another user's administrative session, aka a Session Fixation Vulnerability. The vulnerability is due to the reuse of a preauthentication…

  • CVE-2017-5656HigApr 18, 2017
    risk 0.42cvss 7.5epss 0.07

    Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user.

  • CVE-2026-11335MedJun 5, 2026
    risk 0.41cvss 6.3epss 0.00

    A flaw has been found in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. This impacts the function session_start of the file /login-form.php. Executing a manipulation of the argument UserAuthData can lead…

  • CVE-2025-8517MedAug 4, 2025
    risk 0.41cvss 6.3epss 0.01

    A vulnerability was detected in givanz Vvveb 1.0.6.1. Impacted is an unknown function. The manipulation results in session fixiation. The attack can be launched remotely. The exploit is now public and may be used. Upgrading to version 1.0.7 is recommended to address this issue.…

  • CVE-2018-2409MedApr 10, 2018
    risk 0.41cvss 6.3epss 0.01

    Improper session management when using SAP Cloud Platform 2.0 (Connectivity Service and Cloud Connector). Under certain conditions, data of some other user may be shown or modified when using an application built on top of SAP Cloud Platform.

  • CVE-2025-46605MedApr 17, 2026
    risk 0.40cvss 6.2epss 0.00

    Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain a session fixation vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized…

  • CVE-2024-25977HigMay 29, 2024
    risk 0.40cvss 7.3epss 0.01

    The application does not change the session token when using the login or logout functionality. An attacker can set a session token in the victim's browser (e.g. via XSS) and prompt the victim to log in (e.g. via a redirect to the login page). This results in the victim's…

  • CVE-2018-10591MedMay 15, 2018
    risk 0.40cvss 6.1epss 0.01

    In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, an origin validation error vulnerability has been…