Filtered by CWE-384
Filtered by vendor Subscriptions
Total 329 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2018-1375 1 Ibm 1 Security Guardium Big Data Intelligence 2024-11-21 N/A
IBM Security Guardium Big Data Intelligence (SonarG) 3.1 does not renew a session variable after a successful authentication which could lead to session fixation/hijacking vulnerability. This could force a user to utilize a cookie that may be known to an attacker. IBM X-Force ID: 137776.
CVE-2018-1148 1 Tenable 1 Nessus 2024-11-21 N/A
In Nessus before 7.1.0, Session Fixation exists due to insufficient session management within the application. An authenticated attacker could maintain system access due to session fixation after a user password change.
CVE-2018-1127 1 Redhat 2 Gluster Storage, Storage 2024-11-21 N/A
Tendrl API in Red Hat Gluster Storage before 3.4.0 does not immediately remove session tokens after a user logs out. Session tokens remain active for a few minutes allowing attackers to replay tokens acquired via sniffing/MITM attacks and authenticate as the target user.
CVE-2018-19443 1 Tryton 1 Tryton 2024-11-21 N/A
The client in Tryton 5.x before 5.0.1 tries to make a connection to the bus in cleartext instead of encrypted under certain circumstances in bus.py and jsonrpc.py. This connection attempt fails, but it contains in the header the current session of the user. This session could then be stolen by a man-in-the-middle.
CVE-2018-18926 1 Gitea 1 Gitea 2024-11-21 N/A
Gitea before 1.5.4 allows remote code execution because it does not properly validate session IDs. This is related to session ID handling in the go-macaron/session code for Macaron.
CVE-2018-18925 1 Gogs 1 Gogs 2024-11-21 N/A
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.
CVE-2018-18380 1 Bigtreecms 1 Bigtree Cms 2024-11-21 N/A
A Session Fixation issue was discovered in Bigtree before 4.2.24. admin.php accepts a user-provided PHP session ID instead of regenerating a new one after a user has logged in to the application. The Session Fixation could allow an attacker to hijack an admin session.
CVE-2018-17902 1 Yokogawa 8 Fcj, Fcj Firmware, Fcn-100 and 5 more 2024-11-21 N/A
Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All versions R4.10 and prior, The application utilizes multiple methods of session management which could result in a denial of service to the remote management functions.
CVE-2018-17199 6 Apache, Canonical, Debian and 3 more 9 Http Server, Ubuntu Linux, Debian Linux and 6 more 2024-11-21 N/A
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.
CVE-2018-16495 1 Versa-networks 1 Versa Operating System 2024-11-21 8.8 High
In VOS user session identifier (authentication token) is issued to the browser prior to authentication but is not changed after the user successfully logs into the application. Failing to issue a new session ID following a successful login introduces the possibility for an attacker to set up a trap session on the device the victim is likely to login with.
CVE-2018-16463 1 Nextcloud 1 Nextcloud Server 2024-11-21 N/A
A bug causing session fixation in Nextcloud Server prior to 14.0.0, 13.0.3 and 12.0.8 could potentially allow an attacker to obtain access to password protected shares.
CVE-2018-15208 1 Bpcbt 1 Smartvista 2024-11-21 N/A
BPC SmartVista 2 has Session Fixation via the JSESSIONID parameter.
CVE-2018-14387 1 Wondercms 1 Wondercms 2024-11-21 N/A
An issue was discovered in WonderCMS before 2.5.2. An attacker can create a new session on a web application and record the associated session identifier. The attacker then causes the victim to authenticate against the server using the same session identifier. The attacker can access the user's account through the active session. The Session Fixation attack fixes a session on the victim's browser, so the attack starts before the user logs in.
CVE-2018-13337 1 Terra-master 1 Terramaster Operating System 2024-11-21 N/A
Session Fixation in the web application for TerraMaster TOS version 3.1.03 allows attackers to control users' session cookies via JavaScript.
CVE-2018-13282 1 Synology 1 Photo Station 2024-11-21 N/A
Session fixation vulnerability in SYNO.PhotoStation.Auth in Synology Photo Station before 6.8.7-3481 allows remote attackers to hijack web sessions via the PHPSESSID parameter.
CVE-2018-12538 2 Eclipse, Netapp 12 Jetty, E-series Santricity Management Plug-ins, E-series Santricity Os Controller and 9 more 2024-11-21 N/A
In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.
CVE-2018-12071 1 Codeigniter 1 Codeigniter 2024-11-21 N/A
A Session Fixation issue exists in CodeIgniter before 3.1.9 because session.use_strict_mode in the Session Library was mishandled.
CVE-2018-11714 1 Tp-link 4 Tl-wr840n, Tl-wr840n Firmware, Tl-wr841n and 1 more 2024-11-21 N/A
An issue was discovered on TP-Link TL-WR840N v5 00000005 0.9.1 3.16 v0001.0 Build 170608 Rel.58696n and TL-WR841N v13 00000013 0.9.1 4.16 v0001.0 Build 170622 Rel.64334n devices. This issue is caused by improper session handling on the /cgi/ folder or a /cgi file. If an attacker sends a header of "Referer: http://192.168.0.1/mainFrame.htm" then no authentication is required for any action.
CVE-2018-11571 1 Clippercms 1 Clippercms 2024-11-21 N/A
ClipperCMS 1.3.3 allows Session Fixation.
CVE-2018-11567 1 Amazon 10 Echo, Echo Dot, Echo Dot Firmware and 7 more 2024-11-21 N/A
Prior to 2018-04-27, the reprompt feature in Amazon Echo devices could be misused by a custom Alexa skill. The reprompt feature is designed so that if Alexa does not receive an input within 8 seconds, the device can speak a reprompt, then wait an additional 8 seconds for input; if the user still does not respond, the microphone is then turned off. The vulnerability involves empty output-speech reprompts, custom wildcard ("gibberish") input slots, and logging of detected speech. If a maliciously designed skill is installed, an attacker could obtain transcripts of speech not intended for Alexa to process, but simply spoken within the device's hearing range. NOTE: The vendor states "Customer trust is important to us and we take security and privacy seriously. We have put mitigations in place for detecting this type of skill behavior and reject or suppress those skills when we do. Customers do not need to take any action for these mitigations to work.