Filtered by CWE-384
Filtered by vendor Subscriptions
Total 329 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2014-0033 2 Apache, Redhat 2 Tomcat, Jboss Enterprise Web Server 2024-11-21 N/A
org/apache/catalina/connector/CoyoteAdapter.java in Apache Tomcat 6.0.33 through 6.0.37 does not consider the disableURLRewriting setting when handling a session ID in a URL, which allows remote attackers to conduct session fixation attacks via a crafted URL.
CVE-2013-4572 2 Fedoraproject, Mediawiki 2 Fedora, Mediawiki 2024-11-21 7.5 High
The CentralNotice extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 sets the Cache-Control header to cache session cookies when a user is autocreated, which allows remote attackers to authenticate as the created user.
CVE-2013-4213 1 Redhat 2 Jboss Enterprise Application Platform, Jboss Enterprise Portal Platform 2024-11-21 N/A
Red Hat JBoss Enterprise Application Platform (EAP) 6.1.0 does not properly cache EJB invocations by the EJB client API, which allows remote attackers to hijack sessions by using an EJB client.
CVE-2013-4128 1 Redhat 2 Jboss Enterprise Application Platform, Jboss Enterprise Portal Platform 2024-11-21 N/A
Red Hat JBoss Enterprise Application Platform (EAP) 6.1.0 does not properly cache EJB invocations by remote-naming, which allows remote attackers to hijack sessions by using a remoting client.
CVE-2013-2249 1 Apache 1 Http Server 2024-11-21 N/A
mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for a session without considering the dirty flag and the requirement for a new session ID, which has unspecified impact and remote attack vectors.
CVE-2013-2067 2 Apache, Redhat 5 Tomcat, Enterprise Linux, Jboss Enterprise Application Platform and 2 more 2024-11-21 N/A
java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.
CVE-2013-2049 1 Redhat 2 Cloudforms Management Engine, Cloudforms Managementengine 2024-11-21 N/A
Red Hat CloudForms 2 Management Engine (CFME) allows remote attackers to conduct session tampering attacks by leveraging use of a static secret_token.rb secret.
CVE-2013-0507 1 Ibm 1 Infosphere Information Server 2024-11-21 8.1 High
IBM InfoSphere Information Server 8.1, 8.5, 8.7, 9.1 has a Session Fixation Vulnerability
CVE-2012-2735 2 Redhat, Trevor Mckay 2 Enterprise Mrg, Cumin 2024-11-21 N/A
Session fixation vulnerability in Cumin before 0.1.5444, as used in Red Hat Enterprise Messaging, Realtime, and Grid (MRG) 2.0, allows remote attackers to hijack web sessions via a crafted session cookie.
CVE-2011-4718 1 Php 1 Php 2024-11-21 N/A
Session fixation vulnerability in the Sessions subsystem in PHP before 5.5.2 allows remote attackers to hijack web sessions by specifying a session ID.
CVE-2011-0717 1 Redhat 2 Network Satellite, Network Satellite Server 2024-11-21 N/A
Session fixation vulnerability in Red Hat Network (RHN) Satellite Server 5.4 allows remote attackers to hijack web sessions via unspecified vectors related to Spacewalk.
CVE-2010-3671 1 Typo3 1 Typo3 2024-11-21 6.5 Medium
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 is open to a session fixation attack which allows remote attackers to hijack a victim's session.
CVE-2010-1434 1 Joomla 1 Joomla\! 2024-11-21 7.5 High
Joomla! Core is prone to a session fixation vulnerability. An attacker may leverage this issue to hijack an arbitrary session and gain access to sensitive information, which may help in launching further attacks. Joomla! Core versions 1.5.x ranging from 1.5.0 and up to and including 1.5.15 are vulnerable.
CVE-2009-1580 2 Redhat, Squirrelmail 2 Enterprise Linux, Squirrelmail 2024-11-21 N/A
Session fixation vulnerability in SquirrelMail before 1.4.18 allows remote attackers to hijack web sessions via a crafted cookie.
CVE-2008-3222 2 Drupal, Fedoraproject 2 Drupal, Fedora 2024-11-21 N/A
Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before 6.3, when contributed modules "terminate the current request during a login event," allows remote attackers to hijack web sessions via unknown vectors.
CVE-2007-4188 1 Joomla 1 Joomla\! 2024-11-21 N/A
Session fixation vulnerability in Joomla! before 1.0.13 (aka Sunglow) allows remote attackers to hijack administrative web sessions via unspecified vectors.
CVE-2001-1534 1 Apache 1 Http Server 2024-11-21 N/A
mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for authentication.
CVE-1999-0428 1 Openssl 1 Openssl 2024-11-21 6.5 Medium
OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls.
CVE-2023-52268 1 Freescout Helpdesk 1 Freescout 2024-11-19 9.1 Critical
The End-User Portal module before 1.0.65 for FreeScout sometimes allows an attacker to authenticate as an arbitrary user because a session token can be sent to the /auth endpoint. NOTE: this module is not part of freescout-helpdesk/freescout on GitHub.
CVE-2021-3740 1 Chatwoot 1 Chatwoot 2024-11-15 6.8 Medium
A Session Fixation vulnerability exists in chatwoot/chatwoot versions prior to 2.4.0. The application does not invalidate existing sessions on other devices when a user changes their password, allowing old sessions to persist. This can lead to unauthorized access if an attacker has obtained a session token.