CWE-384
Session Fixation
Description
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-196 · CAPEC-21 · CAPEC-31 · CAPEC-39 · CAPEC-59 · CAPEC-60 · CAPEC-61
CVEs mapped to this weakness (205)
page 8 of 11| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-37152 | 0.00 | — | 0.02 | Jun 6, 2024 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This… | |||
| CVE-2023-6787 | 0.00 | — | 0.01 | Apr 25, 2024 | A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org.keycloak.authentication. This flaw allows hijacking an active Keycloak session by triggering a new authentication process with the query parameter "prompt=login," prompting the… | |||
| CVE-2024-2260 | 0.00 | — | 0.00 | Apr 16, 2024 | A session fixation vulnerability exists in the zenml-io/zenml application, where JWT tokens used for user authentication are not invalidated upon logout. This flaw allows an attacker to bypass authentication mechanisms by reusing a victim's JWT token. | |||
| CVE-2024-30262 | 0.00 | — | 0.01 | Apr 9, 2024 | Contao is an open source content management system. Prior to version 4.13.40, when a frontend member changes their password in the personal data or the password lost module, the corresponding remember-me tokens are not removed. If someone compromises an account and is able to… | |||
| CVE-2024-28197 | 0.00 | — | 0.00 | Mar 11, 2024 | Zitadel is an open source identity management system. Zitadel uses a cookie to identify the user agent (browser) and its user sessions. Although the cookie was handled according to best practices, it was accessible on subdomains of the ZITADEL instance. An attacker could take… | |||
| CVE-2023-47798 | 0.00 | — | 0.00 | Feb 8, 2024 | Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an… | |||
| CVE-2024-24823 | 0.00 | — | 0.00 | Feb 7, 2024 | Graylog is a free and open log management platform. Starting in version 4.3.0 and prior to versions 5.1.11 and 5.2.4, reauthenticating with an existing session cookie would re-use that session id, even if for different user credentials. In this case, the pre-existing session… | |||
| CVE-2024-23679 | 0.00 | — | 0.01 | Jan 19, 2024 | Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes. | |||
| CVE-2023-49804 | 0.00 | — | 0.00 | Dec 11, 2023 | Uptime Kuma is an easy-to-use self-hosted monitoring tool. Prior to version 1.23.9, when a user changes their login password in Uptime Kuma, a previously logged-in user retains access without being logged out. This behavior persists consistently, even after system restarts or… | |||
| CVE-2023-46733 | 0.00 | — | 0.01 | Nov 10, 2023 | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 5.4.21 and 6.2.7 and prior to versions 5.4.31 and 6.3.8, `SessionStrategyListener` does not migrate the session after every successful login. It does so only in… | |||
| CVE-2023-44400 | 0.00 | — | 0.00 | Oct 9, 2023 | Uptime Kuma is a self-hosted monitoring tool. Prior to version 1.23.3, attackers with access to a user's device can gain persistent account access. This is caused by missing verification of Session Tokens after password changes and/or elapsed inactivity periods. Version 1.23.3… | |||
| CVE-2023-40273 | 0.00 | — | 0.01 | Aug 23, 2023 | The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the session of the user. Other than manually cleaning the session database (for… | |||
| CVE-2023-37946 | 0.00 | — | 0.01 | Jul 12, 2023 | Jenkins OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier does not invalidate the previous session on login. | |||
| CVE-2023-3192 | 0.00 | — | 0.00 | Jun 11, 2023 | Session Fixation in GitHub repository froxlor/froxlor prior to 2.1.0. | |||
| CVE-2023-22648 | 0.00 | — | 0.00 | Jun 1, 2023 | A Improper Privilege Management vulnerability in SUSE Rancher causes permission changes in Azure AD not to be reflected to users while they are logged in the Rancher UI. This would cause the users to retain their previous permissions in Rancher, even if they change groups on… | |||
| CVE-2023-33005 | 0.00 | — | 0.00 | May 16, 2023 | Jenkins WSO2 Oauth Plugin 1.0 and earlier does not invalidate the previous session on login. | |||
| CVE-2023-32997 | 0.00 | — | 0.01 | May 16, 2023 | Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the previous session on login. | |||
| CVE-2023-29019 | 0.00 | — | 0.01 | Apr 21, 2023 | @fastify/passport is a port of passport authentication library for the Fastify ecosystem. Applications using `@fastify/passport` in affected versions for user authentication, in combination with `@fastify/session` as the underlying session management mechanism, are vulnerable to… | |||
| CVE-2023-2105 | — | 0.00 | — | 0.01 | Apr 15, 2023 | Session Fixation in GitHub repository alextselegidis/easyappointments prior to 1.5.0. | ||
| CVE-2022-24895 | 0.00 | — | 0.01 | Feb 3, 2023 | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login,… |
- CVE-2024-37152Jun 6, 2024risk 0.00cvss —epss 0.02
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This…
- CVE-2023-6787Apr 25, 2024risk 0.00cvss —epss 0.01
A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org.keycloak.authentication. This flaw allows hijacking an active Keycloak session by triggering a new authentication process with the query parameter "prompt=login," prompting the…
- CVE-2024-2260Apr 16, 2024risk 0.00cvss —epss 0.00
A session fixation vulnerability exists in the zenml-io/zenml application, where JWT tokens used for user authentication are not invalidated upon logout. This flaw allows an attacker to bypass authentication mechanisms by reusing a victim's JWT token.
- CVE-2024-30262Apr 9, 2024risk 0.00cvss —epss 0.01
Contao is an open source content management system. Prior to version 4.13.40, when a frontend member changes their password in the personal data or the password lost module, the corresponding remember-me tokens are not removed. If someone compromises an account and is able to…
- CVE-2024-28197Mar 11, 2024risk 0.00cvss —epss 0.00
Zitadel is an open source identity management system. Zitadel uses a cookie to identify the user agent (browser) and its user sessions. Although the cookie was handled according to best practices, it was accessible on subdomains of the ZITADEL instance. An attacker could take…
- CVE-2023-47798Feb 8, 2024risk 0.00cvss —epss 0.00
Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an…
- CVE-2024-24823Feb 7, 2024risk 0.00cvss —epss 0.00
Graylog is a free and open log management platform. Starting in version 4.3.0 and prior to versions 5.1.11 and 5.2.4, reauthenticating with an existing session cookie would re-use that session id, even if for different user credentials. In this case, the pre-existing session…
- CVE-2024-23679Jan 19, 2024risk 0.00cvss —epss 0.01
Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.
- CVE-2023-49804Dec 11, 2023risk 0.00cvss —epss 0.00
Uptime Kuma is an easy-to-use self-hosted monitoring tool. Prior to version 1.23.9, when a user changes their login password in Uptime Kuma, a previously logged-in user retains access without being logged out. This behavior persists consistently, even after system restarts or…
- CVE-2023-46733Nov 10, 2023risk 0.00cvss —epss 0.01
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 5.4.21 and 6.2.7 and prior to versions 5.4.31 and 6.3.8, `SessionStrategyListener` does not migrate the session after every successful login. It does so only in…
- CVE-2023-44400Oct 9, 2023risk 0.00cvss —epss 0.00
Uptime Kuma is a self-hosted monitoring tool. Prior to version 1.23.3, attackers with access to a user's device can gain persistent account access. This is caused by missing verification of Session Tokens after password changes and/or elapsed inactivity periods. Version 1.23.3…
- CVE-2023-40273Aug 23, 2023risk 0.00cvss —epss 0.01
The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the session of the user. Other than manually cleaning the session database (for…
- CVE-2023-37946Jul 12, 2023risk 0.00cvss —epss 0.01
Jenkins OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier does not invalidate the previous session on login.
- CVE-2023-3192Jun 11, 2023risk 0.00cvss —epss 0.00
Session Fixation in GitHub repository froxlor/froxlor prior to 2.1.0.
- CVE-2023-22648Jun 1, 2023risk 0.00cvss —epss 0.00
A Improper Privilege Management vulnerability in SUSE Rancher causes permission changes in Azure AD not to be reflected to users while they are logged in the Rancher UI. This would cause the users to retain their previous permissions in Rancher, even if they change groups on…
- CVE-2023-33005May 16, 2023risk 0.00cvss —epss 0.00
Jenkins WSO2 Oauth Plugin 1.0 and earlier does not invalidate the previous session on login.
- CVE-2023-32997May 16, 2023risk 0.00cvss —epss 0.01
Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the previous session on login.
- CVE-2023-29019Apr 21, 2023risk 0.00cvss —epss 0.01
@fastify/passport is a port of passport authentication library for the Fastify ecosystem. Applications using `@fastify/passport` in affected versions for user authentication, in combination with `@fastify/session` as the underlying session management mechanism, are vulnerable to…
- CVE-2023-2105Apr 15, 2023risk 0.00cvss —epss 0.01
Session Fixation in GitHub repository alextselegidis/easyappointments prior to 1.5.0.
- CVE-2022-24895Feb 3, 2023risk 0.00cvss —epss 0.01
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login,…