ReportizFlow
Filtered by vendor
Subscriptions
Total
371 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-23590 | 2 Apache, Apache Software Foundation | 2 Kylin, Apache Kylin | 2025-07-11 | 9.1 Critical |
| Session Fixation vulnerability in Apache Kylin. This issue affects Apache Kylin: from 2.0.0 through 4.x. Users are recommended to upgrade to version 5.0.0 or above, which fixes the issue. | ||||
| CVE-2021-3740 | 1 Chatwoot | 1 Chatwoot | 2025-07-10 | 6.8 Medium |
| A Session Fixation vulnerability exists in chatwoot/chatwoot versions prior to 2.4.0. The application does not invalidate existing sessions on other devices when a user changes their password, allowing old sessions to persist. This can lead to unauthorized access if an attacker has obtained a session token. | ||||
| CVE-2025-53021 | 1 Moodle | 1 Moodle | 2025-07-09 | 4.2 Medium |
| A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2022-40916 | 1 Tiny File Manager Project | 1 Tiny File Manager | 2025-07-03 | 9.8 Critical |
| Tiny File Manager v2.4.7 and below is vulnerable to session fixation. | ||||
| CVE-2024-57052 | 1 Youdiancms | 1 Youdiancms | 2025-06-27 | 9.8 Critical |
| An issue in youdiancms v.9.5.20 and before allows a remote attacker to escalate privileges via the sessionID parameter in the index.php file. | ||||
| CVE-2025-24502 | 1 Broadcom | 1 Symantec Privileged Access Management | 2025-06-20 | N/A |
| An improper session validation allows an unauthenticated attacker to cause certain request notifications to be executed in the context of an incorrect user by spoofing the client IP address. | ||||
| CVE-2024-0351 | 1 Engineers Online Portal Project | 1 Engineers Online Portal | 2025-06-17 | 3.1 Low |
| A vulnerability classified as problematic has been found in SourceCodester Engineers Online Portal 1.0. This affects an unknown part. The manipulation leads to session fixiation. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-250119. | ||||
| CVE-2023-50920 | 2 Gl-inet, Gl.inet | 36 Gl-a1300, Gl-a1300 Firmware, Gl-ar300m and 33 more | 2025-06-17 | 5.5 Medium |
| An issue was discovered on GL.iNet devices before version 4.5.0. They assign the same session ID after each user reboot, allowing attackers to share session identifiers between different sessions and bypass authentication or access control measures. Attackers can impersonate legitimate users or perform unauthorized actions. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7, and B1300 4.3.7. | ||||
| CVE-2024-13967 | 2025-06-17 | 8.8 High | ||
| This vulnerability allows the successful attacker to gain unauthorized access to a configuration web page delivered by the integrated web Server of EIBPORT. This issue affects EIBPORT V3 KNX: through 3.9.8; EIBPORT V3 KNX GSM: through 3.9.8. | ||||
| CVE-2024-2260 | 1 Zenml | 1 Zenml | 2025-06-13 | 4.2 Medium |
| A session fixation vulnerability exists in the zenml-io/zenml application, where JWT tokens used for user authentication are not invalidated upon logout. This flaw allows an attacker to bypass authentication mechanisms by reusing a victim's JWT token. | ||||
| CVE-2018-12071 | 1 Codeigniter | 1 Codeigniter | 2025-06-09 | N/A |
| A Session Fixation issue exists in CodeIgniter before 3.1.9 because session.use_strict_mode in the Session Library was mishandled. | ||||
| CVE-2023-45718 | 1 Hcltech | 1 Sametime | 2025-06-03 | 3.9 Low |
| Sametime is impacted by a failure to invalidate sessions. The application is setting sensitive cookie values in a persistent manner in Sametime Web clients. When this happens, cookie values can remain valid even after a user has closed out their session. | ||||
| CVE-2024-23679 | 1 Enonic | 1 Xp | 2025-05-30 | 9.8 Critical |
| Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes. | ||||
| CVE-2023-52353 | 1 Arm | 1 Mbed Tls | 2025-05-30 | 7.5 High |
| An issue was discovered in Mbed TLS through 3.5.1. In mbedtls_ssl_session_reset, the maximum negotiable TLS version is mishandled. For example, if the last connection negotiated TLS 1.2, then 1.2 becomes the new maximum. | ||||
| CVE-2022-3269 | 1 Ikus-soft | 1 Rdiffweb | 2025-05-22 | 9.8 Critical |
| Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7. | ||||
| CVE-2022-40630 | 1 Tacitine | 4 En6200-prime Quad-100, En6200-prime Quad-100 Firmware, En6200-prime Quad-35 and 1 more | 2025-05-22 | 6.5 Medium |
| This vulnerability exists in Tacitine Firewall, all versions of EN6200-PRIME QUAD-35 and EN6200-PRIME QUAD-100 between 19.1.1 to 22.20.1 (inclusive), due to improper session management in the Tacitine Firewall web-based management interface. An unauthenticated remote attacker could exploit this vulnerability by sending a specially crafted http request on the targeted device. Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to perform session fixation on the targeted device. | ||||
| CVE-2024-42171 | 1 Hcltech | 1 Dryice Myxalytics | 2025-05-16 | 6.4 Medium |
| HCL MyXalytics is affected by a session fixation vulnerability. Cyber-criminals can exploit this by sending crafted URLs with a session token to access the victim's login session. | ||||
| CVE-2024-42170 | 1 Hcltech | 1 Dryice Myxalytics | 2025-05-16 | 6.8 Medium |
| HCL MyXalytics is affected by a session fixation vulnerability. Cyber-criminals can exploit this by sending crafted URLs with a session token to access the victim's login session. | ||||
| CVE-2023-47798 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-05-15 | 5.4 Medium |
| Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an account has been locked. | ||||
| CVE-2021-46279 | 1 Lannerinc | 2 Iac-ast2500a, Iac-ast2500a Firmware | 2025-05-07 | 5.8 Medium |
| Session fixation and insufficient session expiration vulnerabilities allow an attacker to perfom session hijacking attacks against users. This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0. | ||||