Filtered by vendor
Subscriptions
Total
329 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2014-0033 | 2 Apache, Redhat | 2 Tomcat, Jboss Enterprise Web Server | 2024-11-21 | N/A |
org/apache/catalina/connector/CoyoteAdapter.java in Apache Tomcat 6.0.33 through 6.0.37 does not consider the disableURLRewriting setting when handling a session ID in a URL, which allows remote attackers to conduct session fixation attacks via a crafted URL. | ||||
CVE-2013-4572 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2024-11-21 | 7.5 High |
The CentralNotice extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 sets the Cache-Control header to cache session cookies when a user is autocreated, which allows remote attackers to authenticate as the created user. | ||||
CVE-2013-4213 | 1 Redhat | 2 Jboss Enterprise Application Platform, Jboss Enterprise Portal Platform | 2024-11-21 | N/A |
Red Hat JBoss Enterprise Application Platform (EAP) 6.1.0 does not properly cache EJB invocations by the EJB client API, which allows remote attackers to hijack sessions by using an EJB client. | ||||
CVE-2013-4128 | 1 Redhat | 2 Jboss Enterprise Application Platform, Jboss Enterprise Portal Platform | 2024-11-21 | N/A |
Red Hat JBoss Enterprise Application Platform (EAP) 6.1.0 does not properly cache EJB invocations by remote-naming, which allows remote attackers to hijack sessions by using a remoting client. | ||||
CVE-2013-2249 | 1 Apache | 1 Http Server | 2024-11-21 | N/A |
mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for a session without considering the dirty flag and the requirement for a new session ID, which has unspecified impact and remote attack vectors. | ||||
CVE-2013-2067 | 2 Apache, Redhat | 5 Tomcat, Enterprise Linux, Jboss Enterprise Application Platform and 2 more | 2024-11-21 | N/A |
java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack. | ||||
CVE-2013-2049 | 1 Redhat | 2 Cloudforms Management Engine, Cloudforms Managementengine | 2024-11-21 | N/A |
Red Hat CloudForms 2 Management Engine (CFME) allows remote attackers to conduct session tampering attacks by leveraging use of a static secret_token.rb secret. | ||||
CVE-2013-0507 | 1 Ibm | 1 Infosphere Information Server | 2024-11-21 | 8.1 High |
IBM InfoSphere Information Server 8.1, 8.5, 8.7, 9.1 has a Session Fixation Vulnerability | ||||
CVE-2012-2735 | 2 Redhat, Trevor Mckay | 2 Enterprise Mrg, Cumin | 2024-11-21 | N/A |
Session fixation vulnerability in Cumin before 0.1.5444, as used in Red Hat Enterprise Messaging, Realtime, and Grid (MRG) 2.0, allows remote attackers to hijack web sessions via a crafted session cookie. | ||||
CVE-2011-4718 | 1 Php | 1 Php | 2024-11-21 | N/A |
Session fixation vulnerability in the Sessions subsystem in PHP before 5.5.2 allows remote attackers to hijack web sessions by specifying a session ID. | ||||
CVE-2011-0717 | 1 Redhat | 2 Network Satellite, Network Satellite Server | 2024-11-21 | N/A |
Session fixation vulnerability in Red Hat Network (RHN) Satellite Server 5.4 allows remote attackers to hijack web sessions via unspecified vectors related to Spacewalk. | ||||
CVE-2010-3671 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 6.5 Medium |
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 is open to a session fixation attack which allows remote attackers to hijack a victim's session. | ||||
CVE-2010-1434 | 1 Joomla | 1 Joomla\! | 2024-11-21 | 7.5 High |
Joomla! Core is prone to a session fixation vulnerability. An attacker may leverage this issue to hijack an arbitrary session and gain access to sensitive information, which may help in launching further attacks. Joomla! Core versions 1.5.x ranging from 1.5.0 and up to and including 1.5.15 are vulnerable. | ||||
CVE-2009-1580 | 2 Redhat, Squirrelmail | 2 Enterprise Linux, Squirrelmail | 2024-11-21 | N/A |
Session fixation vulnerability in SquirrelMail before 1.4.18 allows remote attackers to hijack web sessions via a crafted cookie. | ||||
CVE-2008-3222 | 2 Drupal, Fedoraproject | 2 Drupal, Fedora | 2024-11-21 | N/A |
Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before 6.3, when contributed modules "terminate the current request during a login event," allows remote attackers to hijack web sessions via unknown vectors. | ||||
CVE-2007-4188 | 1 Joomla | 1 Joomla\! | 2024-11-21 | N/A |
Session fixation vulnerability in Joomla! before 1.0.13 (aka Sunglow) allows remote attackers to hijack administrative web sessions via unspecified vectors. | ||||
CVE-2001-1534 | 1 Apache | 1 Http Server | 2024-11-21 | N/A |
mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for authentication. | ||||
CVE-1999-0428 | 1 Openssl | 1 Openssl | 2024-11-21 | 6.5 Medium |
OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls. | ||||
CVE-2023-52268 | 1 Freescout Helpdesk | 1 Freescout | 2024-11-19 | 9.1 Critical |
The End-User Portal module before 1.0.65 for FreeScout sometimes allows an attacker to authenticate as an arbitrary user because a session token can be sent to the /auth endpoint. NOTE: this module is not part of freescout-helpdesk/freescout on GitHub. | ||||
CVE-2021-3740 | 1 Chatwoot | 1 Chatwoot | 2024-11-15 | 6.8 Medium |
A Session Fixation vulnerability exists in chatwoot/chatwoot versions prior to 2.4.0. The application does not invalidate existing sessions on other devices when a user changes their password, allowing old sessions to persist. This can lead to unauthorized access if an attacker has obtained a session token. |