CWE-384
Session Fixation
Description
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-196 · CAPEC-21 · CAPEC-31 · CAPEC-39 · CAPEC-59 · CAPEC-60 · CAPEC-61
CVEs mapped to this weakness (205)
page 5 of 11| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-1375 | Med | 0.39 | 5.9 | 0.02 | May 29, 2018 | IBM Security Guardium Big Data Intelligence (SonarG) 3.1 does not renew a session variable after a successful authentication which could lead to session fixation/hijacking vulnerability. This could force a user to utilize a cookie that may be known to an attacker. IBM X-Force… | ||
| CVE-2017-5141 | Med | 0.39 | 6.0 | 0.01 | Feb 13, 2017 | An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior. An attacker can establish a new user session, without invalidating any existing session identifier, which gives the opportunity to steal… | ||
| CVE-2016-9574 | Med | 0.38 | 5.9 | 0.01 | Jul 19, 2018 | nss before version 3.30 is vulnerable to a remote denial of service during the session handshake when using SessionTicket extension and ECDHE-ECDSA. | ||
| CVE-2018-1000173 | — | Med | 0.38 | 5.9 | 0.02 | May 8, 2018 | A session fixaction vulnerability exists in Jenkins Google Login Plugin 1.3 and older in GoogleOAuth2SecurityRealm.java that allows unauthorized attackers to impersonate another user if they can control the pre-authentication session. | |
| CVE-2017-10600 | Med | 0.38 | 5.9 | 0.00 | Jul 11, 2017 | ubuntu-image 1.0 before 2017-07-07, when invoked as non-root, creates files in the resulting image with the uid of the invoking user. When the resulting image is booted, a local attacker with the same uid as the image creator has unintended access to cloud-init and snapd… | ||
| CVE-2017-5831 | Med | 0.38 | 5.9 | 0.01 | Mar 3, 2017 | Session fixation vulnerability in the forgot password mechanism in Revive Adserver before 4.0.1, when setting a new password, allows remote attackers to hijack web sessions via the session ID. | ||
| CVE-2026-48545 | Med | 0.37 | 6.8 | 0.00 | May 27, 2026 | Gradio before version 6.15.0 contains a cookie injection vulnerability that allows remote attackers to perform cross-Space session fixation by exploiting a shared module-level HTTP client used across all users in the reverse proxy endpoint. Attackers controlling any HF Space can… | ||
| CVE-2025-7014 | Med | 0.37 | 5.7 | 0.00 | Jan 29, 2026 | Session Fixation vulnerability in QR Menu Pro Smart Menu Systems Menu Panel allows Session Hijacking. This issue affects Menu Panel: through 29012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||
| CVE-2025-7015 | Med | 0.37 | 5.7 | 0.00 | Jan 29, 2026 | Session Fixation vulnerability in Akın Software Computer Import Export Industry and Trade Ltd. QR Menu allows Session Fixation. This issue affects QR Menu: before s1.05.12. | ||
| CVE-2024-56733 | Med | 0.37 | 5.7 | 0.00 | Dec 30, 2024 | Password Pusher is an open source application to communicate sensitive information over the web. A vulnerability has been reported in versions 1.50.3 and prior where an attacker can copy the session cookie before a user logs out, potentially allowing session hijacking. Although… | ||
| CVE-2024-28144 | — | Med | 0.36 | 5.5 | 0.00 | Dec 12, 2024 | An attacker who can spoof the IP address and the User-Agent of a logged-in user can takeover the session because of flaws in the self-developed session management. If two users access the web interface from the same IP they are logged in as the other user. | |
| CVE-2018-0359 | Med | 0.36 | 5.5 | 0.00 | Jun 21, 2018 | A vulnerability in the session identification management functionality of the web-based management interface for Cisco Meeting Server could allow an unauthenticated, local attacker to hijack a valid user session identifier, aka Session Fixation. The vulnerability exists because… | ||
| CVE-2026-45773 | Med | 0.35 | 6.5 | 0.00 | May 15, 2026 | Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14, Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web… | ||
| CVE-2025-65415 | Med | 0.35 | 5.4 | 0.00 | May 11, 2026 | docuFORM Managed Print Service Client 11.11c is vulnerable to a session fixation attack via the login page of the application. | ||
| CVE-2025-22216 | Med | 0.35 | 5.4 | 0.00 | Jan 31, 2025 | A UAA configured with multiple identity zones, does not properly validate session information across those zones. A User authenticated against a corporate IDP can re-use their jsessionid to access other zones. | ||
| CVE-2018-1000519 | — | Med | 0.35 | 6.5 | 0.01 | Jun 26, 2018 | aio-libs aiohttp-session contains a Session Fixation vulnerability in load_session function for RedisStorage (see: https://github.com/aio-libs/aiohttp-session/blob/master/aiohttp_session/redis_storage.py#L42) that can result in Session Hijacking. This attack appear to be… | |
| CVE-2017-2145 | Med | 0.35 | 5.4 | 0.01 | Jul 7, 2017 | Session fixation vulnerability in Cybozu Garoon 4.0.0 to 4.2.4 allows remote attackers to perform arbitrary operations via unspecified vectors. | ||
| CVE-2016-9851 | Med | 0.35 | 5.3 | 0.01 | Dec 11, 2016 | An issue was discovered in phpMyAdmin. With a crafted request parameter value it is possible to bypass the logout timeout. All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected. | ||
| CVE-2020-36913 | — | Med | 0.34 | 5.3 | 0.00 | Jan 6, 2026 | All-Dynamics Software enlogic:show 2.0.2 contains a session fixation vulnerability that allows attackers to set a predefined PHP session identifier during the login process. Attackers can forge HTTP GET requests to welcome.php with a manipulated session token to bypass… | |
| CVE-2025-24502 | — | Med | 0.34 | — | 0.00 | Jan 30, 2025 | An improper session validation allows an unauthenticated attacker to cause certain request notifications to be executed in the context of an incorrect user by spoofing the client IP address. |
- risk 0.39cvss 5.9epss 0.02
IBM Security Guardium Big Data Intelligence (SonarG) 3.1 does not renew a session variable after a successful authentication which could lead to session fixation/hijacking vulnerability. This could force a user to utilize a cookie that may be known to an attacker. IBM X-Force…
- risk 0.39cvss 6.0epss 0.01
An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior. An attacker can establish a new user session, without invalidating any existing session identifier, which gives the opportunity to steal…
- risk 0.38cvss 5.9epss 0.01
nss before version 3.30 is vulnerable to a remote denial of service during the session handshake when using SessionTicket extension and ECDHE-ECDSA.
- risk 0.38cvss 5.9epss 0.02
A session fixaction vulnerability exists in Jenkins Google Login Plugin 1.3 and older in GoogleOAuth2SecurityRealm.java that allows unauthorized attackers to impersonate another user if they can control the pre-authentication session.
- risk 0.38cvss 5.9epss 0.00
ubuntu-image 1.0 before 2017-07-07, when invoked as non-root, creates files in the resulting image with the uid of the invoking user. When the resulting image is booted, a local attacker with the same uid as the image creator has unintended access to cloud-init and snapd…
- risk 0.38cvss 5.9epss 0.01
Session fixation vulnerability in the forgot password mechanism in Revive Adserver before 4.0.1, when setting a new password, allows remote attackers to hijack web sessions via the session ID.
- risk 0.37cvss 6.8epss 0.00
Gradio before version 6.15.0 contains a cookie injection vulnerability that allows remote attackers to perform cross-Space session fixation by exploiting a shared module-level HTTP client used across all users in the reverse proxy endpoint. Attackers controlling any HF Space can…
- risk 0.37cvss 5.7epss 0.00
Session Fixation vulnerability in QR Menu Pro Smart Menu Systems Menu Panel allows Session Hijacking. This issue affects Menu Panel: through 29012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
- risk 0.37cvss 5.7epss 0.00
Session Fixation vulnerability in Akın Software Computer Import Export Industry and Trade Ltd. QR Menu allows Session Fixation. This issue affects QR Menu: before s1.05.12.
- risk 0.37cvss 5.7epss 0.00
Password Pusher is an open source application to communicate sensitive information over the web. A vulnerability has been reported in versions 1.50.3 and prior where an attacker can copy the session cookie before a user logs out, potentially allowing session hijacking. Although…
- risk 0.36cvss 5.5epss 0.00
An attacker who can spoof the IP address and the User-Agent of a logged-in user can takeover the session because of flaws in the self-developed session management. If two users access the web interface from the same IP they are logged in as the other user.
- risk 0.36cvss 5.5epss 0.00
A vulnerability in the session identification management functionality of the web-based management interface for Cisco Meeting Server could allow an unauthenticated, local attacker to hijack a valid user session identifier, aka Session Fixation. The vulnerability exists because…
- risk 0.35cvss 6.5epss 0.00
Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14, Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web…
- risk 0.35cvss 5.4epss 0.00
docuFORM Managed Print Service Client 11.11c is vulnerable to a session fixation attack via the login page of the application.
- risk 0.35cvss 5.4epss 0.00
A UAA configured with multiple identity zones, does not properly validate session information across those zones. A User authenticated against a corporate IDP can re-use their jsessionid to access other zones.
- risk 0.35cvss 6.5epss 0.01
aio-libs aiohttp-session contains a Session Fixation vulnerability in load_session function for RedisStorage (see: https://github.com/aio-libs/aiohttp-session/blob/master/aiohttp_session/redis_storage.py#L42) that can result in Session Hijacking. This attack appear to be…
- risk 0.35cvss 5.4epss 0.01
Session fixation vulnerability in Cybozu Garoon 4.0.0 to 4.2.4 allows remote attackers to perform arbitrary operations via unspecified vectors.
- risk 0.35cvss 5.3epss 0.01
An issue was discovered in phpMyAdmin. With a crafted request parameter value it is possible to bypass the logout timeout. All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected.
- risk 0.34cvss 5.3epss 0.00
All-Dynamics Software enlogic:show 2.0.2 contains a session fixation vulnerability that allows attackers to set a predefined PHP session identifier during the login process. Attackers can forge HTTP GET requests to welcome.php with a manipulated session token to bypass…
- risk 0.34cvss —epss 0.00
An improper session validation allows an unauthenticated attacker to cause certain request notifications to be executed in the context of an incorrect user by spoofing the client IP address.