VYPR

CWE-384

Session Fixation

CompoundIncomplete

Description

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-196 · CAPEC-21 · CAPEC-31 · CAPEC-39 · CAPEC-59 · CAPEC-60 · CAPEC-61

CVEs mapped to this weakness (205)

page 8 of 11
  • CVE-2024-37152Jun 6, 2024
    risk 0.00cvss epss 0.02

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This…

  • CVE-2023-6787Apr 25, 2024
    risk 0.00cvss epss 0.01

    A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org.keycloak.authentication. This flaw allows hijacking an active Keycloak session by triggering a new authentication process with the query parameter "prompt=login," prompting the…

  • CVE-2024-2260Apr 16, 2024
    risk 0.00cvss epss 0.00

    A session fixation vulnerability exists in the zenml-io/zenml application, where JWT tokens used for user authentication are not invalidated upon logout. This flaw allows an attacker to bypass authentication mechanisms by reusing a victim's JWT token.

  • CVE-2024-30262Apr 9, 2024
    risk 0.00cvss epss 0.01

    Contao is an open source content management system. Prior to version 4.13.40, when a frontend member changes their password in the personal data or the password lost module, the corresponding remember-me tokens are not removed. If someone compromises an account and is able to…

  • CVE-2024-28197Mar 11, 2024
    risk 0.00cvss epss 0.00

    Zitadel is an open source identity management system. Zitadel uses a cookie to identify the user agent (browser) and its user sessions. Although the cookie was handled according to best practices, it was accessible on subdomains of the ZITADEL instance. An attacker could take…

  • CVE-2023-47798Feb 8, 2024
    risk 0.00cvss epss 0.00

    Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an…

  • CVE-2024-24823Feb 7, 2024
    risk 0.00cvss epss 0.00

    Graylog is a free and open log management platform. Starting in version 4.3.0 and prior to versions 5.1.11 and 5.2.4, reauthenticating with an existing session cookie would re-use that session id, even if for different user credentials. In this case, the pre-existing session…

  • CVE-2024-23679Jan 19, 2024
    risk 0.00cvss epss 0.01

    Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.

  • CVE-2023-49804Dec 11, 2023
    risk 0.00cvss epss 0.00

    Uptime Kuma is an easy-to-use self-hosted monitoring tool. Prior to version 1.23.9, when a user changes their login password in Uptime Kuma, a previously logged-in user retains access without being logged out. This behavior persists consistently, even after system restarts or…

  • CVE-2023-46733Nov 10, 2023
    risk 0.00cvss epss 0.01

    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 5.4.21 and 6.2.7 and prior to versions 5.4.31 and 6.3.8, `SessionStrategyListener` does not migrate the session after every successful login. It does so only in…

  • CVE-2023-44400Oct 9, 2023
    risk 0.00cvss epss 0.00

    Uptime Kuma is a self-hosted monitoring tool. Prior to version 1.23.3, attackers with access to a user's device can gain persistent account access. This is caused by missing verification of Session Tokens after password changes and/or elapsed inactivity periods. Version 1.23.3…

  • CVE-2023-40273Aug 23, 2023
    risk 0.00cvss epss 0.01

    The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the session of the user. Other than manually cleaning the session database (for…

  • CVE-2023-37946Jul 12, 2023
    risk 0.00cvss epss 0.01

    Jenkins OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier does not invalidate the previous session on login.

  • CVE-2023-3192Jun 11, 2023
    risk 0.00cvss epss 0.00

    Session Fixation in GitHub repository froxlor/froxlor prior to 2.1.0.

  • CVE-2023-22648Jun 1, 2023
    risk 0.00cvss epss 0.00

    A Improper Privilege Management vulnerability in SUSE Rancher causes permission changes in Azure AD not to be reflected to users while they are logged in the Rancher UI. This would cause the users to retain their previous permissions in Rancher, even if they change groups on…

  • CVE-2023-33005May 16, 2023
    risk 0.00cvss epss 0.00

    Jenkins WSO2 Oauth Plugin 1.0 and earlier does not invalidate the previous session on login.

  • CVE-2023-32997May 16, 2023
    risk 0.00cvss epss 0.01

    Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the previous session on login.

  • CVE-2023-29019Apr 21, 2023
    risk 0.00cvss epss 0.01

    @fastify/passport is a port of passport authentication library for the Fastify ecosystem. Applications using `@fastify/passport` in affected versions for user authentication, in combination with `@fastify/session` as the underlying session management mechanism, are vulnerable to…

  • CVE-2023-2105Apr 15, 2023
    risk 0.00cvss epss 0.01

    Session Fixation in GitHub repository alextselegidis/easyappointments prior to 1.5.0.

  • CVE-2022-24895Feb 3, 2023
    risk 0.00cvss epss 0.01

    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login,…