Filtered by CWE-384
Filtered by vendor Subscriptions
Total 329 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2016-9125 1 Revive-adserver 1 Revive Adserver 2024-11-21 N/A
Revive Adserver before 3.2.3 suffers from session fixation, by allowing arbitrary session identifiers to be forced and, at the same time, by not invalidating the existing session upon a successful authentication. Under some circumstances, that could have been an opportunity for an attacker to steal an authenticated session.
CVE-2016-8638 2 Ipsilon Project, Redhat 2 Ipsilon, Enterprise Linux 2024-11-21 N/A
A vulnerability in ipsilon 2.0 before 2.0.2, 1.2 before 1.2.1, 1.1 before 1.1.2, and 1.0 before 1.0.3 was found that allows attacker to log out active sessions of other users. This issue is related to how it tracks sessions, and allows an unauthenticated attacker to view and terminate active sessions from other users. It is also called a "SAML2 multi-session vulnerability."
CVE-2016-8609 1 Redhat 2 Jboss Single Sign On, Keycloak 2024-11-21 N/A
It was found that the keycloak before 2.3.0 did not implement authentication flow correctly. An attacker could use this flaw to construct a phishing URL, from which he could hijack the user's session. This could lead to information disclosure, or permit further possible attacks.
CVE-2016-6545 1 Ieasytec 1 Itrackeasy 2024-11-21 N/A
Session cookies are not used for maintaining valid sessions in iTrack Easy. The user's password is passed as a POST parameter over HTTPS using a base64 encoded passwd field on every request. In this implementation, sessions can only be terminated when the user changes the associated password.
CVE-2016-6043 1 Ibm 1 Tivoli Storage Manager 2024-11-21 N/A
Tivoli Storage Manager Operations Center could allow a local user to take over a previously logged in user due to session expiration not being enforced.
CVE-2016-6040 1 Ibm 1 Rational Collaborative Lifecycle Management 2024-11-21 N/A
IBM Jazz Foundation could allow an authenticated user to take over a previously logged in user due to session expiration not being enforced.
CVE-2016-10405 2 D-link, Dlink 2 Dir-600l Firmware, Dir-600l 2024-11-21 N/A
Session fixation vulnerability in D-Link DIR-600L routers (rev. Ax) with firmware before FW1.17.B01 allows remote attackers to hijack web sessions via unspecified vectors.
CVE-2016-10205 1 Zoneminder 1 Zoneminder 2024-11-21 N/A
Session fixation vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack web sessions via the ZMSESSID cookie.
CVE-2016-0721 3 Clusterlabs, Fedoraproject, Redhat 3 Pcs, Fedora, Enterprise Linux 2024-11-21 N/A
Session fixation vulnerability in pcsd in pcs before 0.9.157.
CVE-2015-5384 1 Axiomsl 1 Axiom 2024-11-21 N/A
AxiomSL's Axiom Google Web Toolkit module 9.5.3 and earlier is vulnerable to a Session Fixation attack.
CVE-2015-4594 1 Eclinicalworks 1 Population Health 2024-11-21 N/A
eClinicalWorks Population Health (CCMR) suffers from a session fixation vulnerability. When authenticating a user, the application does not assign a new session ID, making it possible to use an existent session ID.
CVE-2015-1820 2 Redhat, Rest-client Project 4 Cloudforms Managementengine, Satellite, Satellite Capsule and 1 more 2024-11-21 N/A
REST client for Ruby (aka rest-client) before 1.8.0 allows remote attackers to conduct session fixation attacks or obtain sensitive cookie information by leveraging passage of cookies set in a response to a redirect.
CVE-2015-1174 1 Unit4 1 Teta Web 2024-11-21 N/A
Session fixation vulnerability in Unit4 Polska TETA Web (formerly TETA Galactica) 22.62.3.4 and earlier allows remote attackers to hijack web sessions via a session id.
CVE-2014-4789 1 Ibm 1 Initiate Master Data Service 2024-11-21 N/A
Session fixation vulnerability in IBM Initiate Master Data Service 9.5 before 9.5.093013, 9.7 before 9.7.093013, 10.0 before 10.0.093013, and 10.1 before 10.1.093013 allows remote attackers to hijack web sessions via unspecified vectors.
CVE-2014-2066 2 Jenkins, Redhat 2 Jenkins, Openshift 2024-11-21 N/A
Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies.
CVE-2014-125048 1 Kluks 1 Xingwall 2024-11-21 6.3 Medium
A vulnerability, which was classified as critical, has been found in kassi xingwall. This issue affects some unknown processing of the file app/controllers/oauth.js. The manipulation leads to session fixiation. The patch is named e9f0d509e1408743048e29d9c099d36e0e1f6ae7. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217559.
CVE-2014-10400 1 Keplerproject 1 Cgilua 2024-11-21 6.1 Medium
The session.lua library in CGILua 5.0.x uses sequential session IDs, which makes it easier for remote attackers to predict the session ID and hijack arbitrary sessions. NOTE: this vulnerability was SPLIT from CVE-2014-2875.
CVE-2014-10399 1 Keplerproject 1 Cgilua 2024-11-21 6.1 Medium
The session.lua library in CGILua 5.1.x uses the same ID for each session, which allows remote attackers to hijack arbitrary sessions. NOTE: this vulnerability was SPLIT from CVE-2014-2875.
CVE-2014-0152 2 Ovirt, Redhat 3 Ovirt, Ovirt-engine, Rhev Manager 2024-11-21 N/A
Session fixation vulnerability in the web admin interface in oVirt 3.4.0 and earlier allows remote attackers to hijack web sessions via unspecified vectors.
CVE-2014-0090 2 Redhat, Theforeman 2 Satellite, Foreman 2024-11-21 N/A
Session fixation vulnerability in Foreman before 1.4.2 allows remote attackers to hijack web sessions via the session id cookie.