VYPR

CWE-384

Session Fixation

CompoundIncomplete

Description

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-196 · CAPEC-21 · CAPEC-31 · CAPEC-39 · CAPEC-59 · CAPEC-60 · CAPEC-61

CVEs mapped to this weakness (205)

page 5 of 11
  • CVE-2018-1375MedMay 29, 2018
    risk 0.39cvss 5.9epss 0.02

    IBM Security Guardium Big Data Intelligence (SonarG) 3.1 does not renew a session variable after a successful authentication which could lead to session fixation/hijacking vulnerability. This could force a user to utilize a cookie that may be known to an attacker. IBM X-Force…

  • CVE-2017-5141MedFeb 13, 2017
    risk 0.39cvss 6.0epss 0.01

    An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior. An attacker can establish a new user session, without invalidating any existing session identifier, which gives the opportunity to steal…

  • CVE-2016-9574MedJul 19, 2018
    risk 0.38cvss 5.9epss 0.01

    nss before version 3.30 is vulnerable to a remote denial of service during the session handshake when using SessionTicket extension and ECDHE-ECDSA.

  • CVE-2018-1000173MedMay 8, 2018
    risk 0.38cvss 5.9epss 0.02

    A session fixaction vulnerability exists in Jenkins Google Login Plugin 1.3 and older in GoogleOAuth2SecurityRealm.java that allows unauthorized attackers to impersonate another user if they can control the pre-authentication session.

  • CVE-2017-10600MedJul 11, 2017
    risk 0.38cvss 5.9epss 0.00

    ubuntu-image 1.0 before 2017-07-07, when invoked as non-root, creates files in the resulting image with the uid of the invoking user. When the resulting image is booted, a local attacker with the same uid as the image creator has unintended access to cloud-init and snapd…

  • CVE-2017-5831MedMar 3, 2017
    risk 0.38cvss 5.9epss 0.01

    Session fixation vulnerability in the forgot password mechanism in Revive Adserver before 4.0.1, when setting a new password, allows remote attackers to hijack web sessions via the session ID.

  • CVE-2026-48545MedMay 27, 2026
    risk 0.37cvss 6.8epss 0.00

    Gradio before version 6.15.0 contains a cookie injection vulnerability that allows remote attackers to perform cross-Space session fixation by exploiting a shared module-level HTTP client used across all users in the reverse proxy endpoint. Attackers controlling any HF Space can…

  • CVE-2025-7014MedJan 29, 2026
    risk 0.37cvss 5.7epss 0.00

    Session Fixation vulnerability in QR Menu Pro Smart Menu Systems Menu Panel allows Session Hijacking. This issue affects Menu Panel: through 29012026.  NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

  • CVE-2025-7015MedJan 29, 2026
    risk 0.37cvss 5.7epss 0.00

    Session Fixation vulnerability in Akın Software Computer Import Export Industry and Trade Ltd. QR Menu allows Session Fixation. This issue affects QR Menu: before s1.05.12.

  • CVE-2024-56733MedDec 30, 2024
    risk 0.37cvss 5.7epss 0.00

    Password Pusher is an open source application to communicate sensitive information over the web. A vulnerability has been reported in versions 1.50.3 and prior where an attacker can copy the session cookie before a user logs out, potentially allowing session hijacking. Although…

  • CVE-2024-28144MedDec 12, 2024
    risk 0.36cvss 5.5epss 0.00

    An attacker who can spoof the IP address and the User-Agent of a logged-in user can takeover the session because of flaws in the self-developed session management. If two users access the web interface from the same IP they are logged in as the other user.

  • CVE-2018-0359MedJun 21, 2018
    risk 0.36cvss 5.5epss 0.00

    A vulnerability in the session identification management functionality of the web-based management interface for Cisco Meeting Server could allow an unauthenticated, local attacker to hijack a valid user session identifier, aka Session Fixation. The vulnerability exists because…

  • CVE-2026-45773MedMay 15, 2026
    risk 0.35cvss 6.5epss 0.00

    Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14, Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web…

  • CVE-2025-65415MedMay 11, 2026
    risk 0.35cvss 5.4epss 0.00

    docuFORM Managed Print Service Client 11.11c is vulnerable to a session fixation attack via the login page of the application.

  • CVE-2025-22216MedJan 31, 2025
    risk 0.35cvss 5.4epss 0.00

    A UAA configured with multiple identity zones, does not properly validate session information across those zones. A User authenticated against a corporate IDP can re-use their jsessionid to access other zones.

  • CVE-2018-1000519MedJun 26, 2018
    risk 0.35cvss 6.5epss 0.01

    aio-libs aiohttp-session contains a Session Fixation vulnerability in load_session function for RedisStorage (see: https://github.com/aio-libs/aiohttp-session/blob/master/aiohttp_session/redis_storage.py#L42) that can result in Session Hijacking. This attack appear to be…

  • CVE-2017-2145MedJul 7, 2017
    risk 0.35cvss 5.4epss 0.01

    Session fixation vulnerability in Cybozu Garoon 4.0.0 to 4.2.4 allows remote attackers to perform arbitrary operations via unspecified vectors.

  • CVE-2016-9851MedDec 11, 2016
    risk 0.35cvss 5.3epss 0.01

    An issue was discovered in phpMyAdmin. With a crafted request parameter value it is possible to bypass the logout timeout. All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected.

  • CVE-2020-36913MedJan 6, 2026
    risk 0.34cvss 5.3epss 0.00

    All-Dynamics Software enlogic:show 2.0.2 contains a session fixation vulnerability that allows attackers to set a predefined PHP session identifier during the login process. Attackers can forge HTTP GET requests to welcome.php with a manipulated session token to bypass…

  • CVE-2025-24502MedJan 30, 2025
    risk 0.34cvss epss 0.00

    An improper session validation allows an unauthenticated attacker to cause certain request notifications to be executed in the context of an incorrect user by spoofing the client IP address.