VYPR

CWE-488

Exposure of Data Element to Wrong Session

BaseDraft

Description

The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-59 · CAPEC-60

CVEs mapped to this weakness (19)

  • CVE-2024-27455CriFeb 26, 2024
    risk 0.59cvss 9.1epss 0.01

    In the Bentley ALIM Web application, certain configuration settings can cause exposure of a user's ALIM session token when the user attempts to download files. This is fixed in Assetwise ALIM Web 23.00.04.04 and Assetwise Information Integrity Server 23.00.02.03.

  • CVE-2025-47928CriMay 15, 2025
    risk 0.52cvss 9.1epss 0.00

    Spotipy is a Python library for the Spotify Web API. As of commit 4f5759dbfb4506c7b6280572a4db1aabc1ac778d, using `pull_request_target` on `.github/workflows/integration_tests.yml` followed by the checking out the head.sha of a forked PR can be exploited by attackers, since…

  • CVE-2025-30073HigMar 26, 2025
    risk 0.49cvss 7.5epss 0.00

    An issue was discovered in OPC cardsystems Webapp Aufwertung 2.1.0. The reference assigned to transactions can be reused. When completing a payment, the first or all transactions with the same reference are completed, depending on timing. This can be used to transfer more money…

  • CVE-2024-5148HigSep 2, 2024
    risk 0.49cvss 7.5epss 0.01

    A flaw was found in the gnome-remote-desktop package. The gnome-remote-desktop system daemon performs inadequate validation of session agents using D-Bus methods related to transitioning a client connection from the login screen to the user session. As a result, the system RDP…

  • CVE-2023-6519HigFeb 8, 2024
    risk 0.49cvss 7.5epss 0.01

    Exposure of Data Element to Wrong Session vulnerability in Mia Technology Inc. MİA-MED allows Read Sensitive Strings Within an Executable. This issue affects MİA-MED: before 1.0.7.

  • CVE-2025-1247HigFeb 13, 2025
    risk 0.47cvss 8.3epss 0.01

    A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information.

  • CVE-2026-34391HigMar 27, 2026
    risk 0.42cvss 7.5epss 0.00

    Fleet is open source device management software. Prior to 4.81.1, a vulnerability in Fleet's Windows MDM command processing allows a malicious enrolled device to access MDM commands intended for other devices, potentially exposing sensitive configuration data such as WiFi…

  • CVE-2024-6162HigJun 20, 2024
    risk 0.42cvss 7.5epss 0.02

    A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path…

  • CVE-2026-9831MedMay 29, 2026
    risk 0.41cvss 6.3epss 0.00

    A race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path could, under specific high-concurrency traffic conditions, intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued API key to receive response data for…

  • CVE-2026-46416MedMay 27, 2026
    risk 0.41cvss 6.3epss 0.00

    Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO creates one shared UFOWebSocketHandler instance and reuses it for multiple authenticated WebSocket connections. The handler stores per-connection…

  • CVE-2025-2312MedMar 25, 2025
    risk 0.38cvss 5.9epss 0.00

    A flaw was found in cifs-utils. When trying to obtain Kerberos credentials, the cifs.upcall program from the cifs-utils package makes an upcall to the wrong namespace in containerized environments. This issue may lead to disclosing sensitive data from the host's Kerberos…

  • CVE-2024-8314MedMar 25, 2025
    risk 0.36cvss epss 0.00

    An Incorrect Implementation of Authentication Algorithm and Exposure of Data Element to Wrong Ses-sion vulnerability in the session handling used in B&R APROL <4.4-00P5 may allow an authenticated network attacker to take over a currently active user session without login…

  • CVE-2025-24934MedOct 22, 2025
    risk 0.35cvss 5.4epss 0.00

    Software which sets SO_REUSEPORT_LB on a socket and then connects it to a host will not directly observe any problems. However, due to its membership in a load-balancing group, that socket will receive packets originating from any host. This breaks the contract of the…

  • CVE-2024-11094MedNov 16, 2024
    risk 0.34cvss 5.3epss 0.00

    The 404 Solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.35.17 via the export feature. This makes it possible for unauthenticated attackers to extract data such as redirects including GET parameters which may…

  • CVE-2026-54311Jun 16, 2026
    risk 0.00cvss epss 0.00

    ## Impact An authenticated user with permission to create or modify workflows could pollute the sandbox used by the Merge node's SQL Query mode. Because the sandbox context was cached and reused across all workflow executions on the instance, prototype mutations introduced by…

  • CVE-2026-27492Feb 21, 2026
    risk 0.00cvss epss 0.00

    Lettermint Node.js SDK is the official Node.js SDK for Lettermint. In versions 1.5.0 and below, email properties (such as to, subject, html, text, and attachments) are not reset between sends when a single client instance is reused across multiple .send() calls. This can cause…

  • CVE-2023-1907Jan 9, 2025
    risk 0.00cvss epss 0.00

    A vulnerability was found in pgadmin. Users logging into pgAdmin running in server mode using LDAP authentication may be attached to another user's session if multiple connection attempts occur simultaneously.

  • CVE-2024-27935Mar 6, 2024
    risk 0.00cvss epss 0.01

    Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.35.1 and prior to version 1.36.3, a vulnerability in Deno's Node.js compatibility runtime allows for cross-session data contamination during simultaneous asynchronous reads from Node.js streams…

  • CVE-2022-3916Sep 20, 2023
    risk 0.00cvss epss 0.01

    A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This…