Filtered by CWE-384
Filtered by vendor Subscriptions
Total 329 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2017-1152 1 Ibm 1 Financial Transaction Manager 2024-11-21 N/A
IBM Financial Transaction Manager 3.0.1 and 3.0.2 does not properly update the SESSIONID with each request, which could allow a user to obtain the ID in further attacks against the system. IBM X-Force ID: 122293.
CVE-2017-18125 1 Qualcomm 18 Mdm9206, Mdm9206 Firmware, Mdm9607 and 15 more 2024-11-21 N/A
In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile and Snapdragon Wear MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 835, SD 845, SD 850, when secure camera is activated it stores captured data in protected buffers. The TEE application which uses secure camera expects those buffers to contain data captured during the current camera session. It is possible though for HLOS to put aside and reuse one or more of the protected buffers with previously captured data during next camera session. Such data reuse must be prevented as the TEE applications expects to receive valid data captured during the current session only.
CVE-2017-18105 1 Atlassian 1 Crowd 2024-11-21 N/A
The console login resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers, who have previously obtained a user's JSESSIONID cookie, to gain access to some of the built-in and potentially third party rest resources via a session fixation vulnerability.
CVE-2017-15304 1 Airtame 2 Hdmi Dongle, Hdmi Dongle Firmware 2024-11-21 N/A
/bin/login.php in the Web Panel on the Airtame HDMI dongle with firmware before 3.0 allows an attacker to set his own session id via a "Cookie: PHPSESSID=" header. This can be used to achieve persistent access to the admin panel even after an admin password change.
CVE-2017-14263 1 Honeywell 14 Enterprise Dvr, Enterprise Dvr Firmware, Fusion Iv Rev C and 11 more 2024-11-21 N/A
Honeywell NVR devices allow remote attackers to create a user account in the admin group by leveraging access to a guest account to obtain a session ID, and then sending that session ID in a userManager.addUser request to the /RPC2 URI. The attacker can login to the device with that new user account to fully control the device.
CVE-2017-14163 1 Mahara 1 Mahara 2024-11-21 N/A
An issue was discovered in Mahara before 15.04.14, 16.x before 16.04.8, 16.10.x before 16.10.5, and 17.x before 17.04.3. When one closes the browser without logging out of Mahara, the value in the usr_session table is not removed. If someone were to open a browser, visit the Mahara site, and adjust the 'mahara' cookie to the old value, they can get access to the user's account.
CVE-2017-12965 1 Apache2triad 1 Apache2triad 2024-11-21 N/A
Session fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID parameter.
CVE-2017-12873 2 Debian, Simplesamlphp 2 Debian Linux, Simplesamlphp 2024-11-21 N/A
SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured.
CVE-2017-12868 2 Php, Simplesamlphp 2 Php, Simplesamlphp 2024-11-21 N/A
The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation.
CVE-2017-12619 1 Apache 1 Zeppelin 2024-11-21 N/A
Apache Zeppelin prior to 0.7.3 was vulnerable to session fixation which allowed an attacker to hijack a valid user session. Issue was reported by "stone lone".
CVE-2017-12225 1 Cisco 1 Prime Lan Management Solution 2024-11-21 N/A
A vulnerability in the web functionality of the Cisco Prime LAN Management Solution could allow an authenticated, remote attacker to hijack another user's administrative session, aka a Session Fixation Vulnerability. The vulnerability is due to the reuse of a preauthentication session token as part of the postauthentication session. An attacker could exploit this vulnerability by obtaining the presession token ID. An exploit could allow an attacker to hijack an existing user's session. Known Affected Releases 4.2(5). Cisco Bug IDs: CSCvf58392.
CVE-2017-11562 1 Mt4 1 Senhasegura 2024-11-21 N/A
A Session Fixation Vulnerability exists in the MT4 Networks SenhaSegura Web Application 2.2.23.8 via login_if.php.
CVE-2017-11191 1 Freeipa 1 Freeipa 2024-11-21 N/A
FreeIPA 4.x with API version 2.213 allows a remote authenticated users to bypass intended account-locking restrictions via an unlock action with an old session ID (for the same user account) that had been created for an earlier session. NOTE: Vendor states that issue does not exist in product and does not recognize this report as a valid security concern
CVE-2017-10890 1 Sharp 10 Rx-clv1-p, Rx-clv1-p Firmware, Rx-clv2-b and 7 more 2024-11-21 N/A
Session management issue in RX-V200 firmware versions prior to 09.87.17.09, RX-V100 firmware versions prior to 03.29.17.09, RX-CLV1-P firmware versions prior to 79.17.17.09, RX-CLV2-B firmware versions prior to 89.07.17.09, RX-CLV3-N firmware versions prior to 91.09.17.10 allows an attacker on the same LAN to perform arbitrary operations or access information via unspecified vectors.
CVE-2017-10600 1 Canonical 1 Ubuntu-image 2024-11-21 N/A
ubuntu-image 1.0 before 2017-07-07, when invoked as non-root, creates files in the resulting image with the uid of the invoking user. When the resulting image is booted, a local attacker with the same uid as the image creator has unintended access to cloud-init and snapd directories.
CVE-2017-1000150 1 Mahara 1 Mahara 2024-11-21 N/A
Mahara 15.04 before 15.04.7 and 15.10 before 15.10.3 are vulnerable to prevent session IDs from being regenerated on login or logout. This makes users of the site more vulnerable to session fixation attacks.
CVE-2017-0892 1 Nextcloud 1 Nextcloud Server 2024-11-21 3.5 Low
Nextcloud Server before 11.0.3 is vulnerable to an improper session handling allowed an application specific password without permission to the files access to the users file.
CVE-2016-9981 1 Ibm 1 Security Appscan 2024-11-21 N/A
IBM AppScan Enterprise Edition 9.0 contains an unspecified vulnerability that could allow an attacker to hijack a valid user's session. IBM X-Force ID: 120257
CVE-2016-9703 1 Ibm 1 Security Identity Manager Virtual Appliance 2024-11-21 N/A
IBM Security Identity Manager Virtual Appliance does not invalidate session tokens which could allow an unauthorized user with physical access to the work station to obtain sensitive information.
CVE-2016-9574 1 Mozilla 1 Network Security Services 2024-11-21 N/A
nss before version 3.30 is vulnerable to a remote denial of service during the session handshake when using SessionTicket extension and ECDHE-ECDSA.