Total
386 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-47798 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-05-15 | 5.4 Medium |
| Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an account has been locked. | ||||
| CVE-2021-46279 | 1 Lannerinc | 2 Iac-ast2500a, Iac-ast2500a Firmware | 2025-05-07 | 5.8 Medium |
| Session fixation and insufficient session expiration vulnerabilities allow an attacker to perfom session hijacking attacks against users. This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0. | ||||
| CVE-2022-40293 | 1 Phppointofsale | 1 Php Point Of Sale | 2025-05-06 | 9.8 Critical |
| The application was vulnerable to a session fixation that could be used hijack accounts. | ||||
| CVE-2022-31689 | 1 Vmware | 1 Workspace One Assist | 2025-05-01 | 9.8 Critical |
| VMware Workspace ONE Assist prior to 22.10 contains a Session fixation vulnerability. A malicious actor who obtains a valid session token may be able to authenticate to the application using that token. | ||||
| CVE-2025-45949 | 1 Phpgurukul | 1 User Registration \& Login And User Management System | 2025-04-30 | 9.8 Critical |
| A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /loginsystem/change-password.php file of the user panel - Change Password component. Improper handling of session data allows a Session Hijacking attack, exploitable remotely and leading to account takeover. | ||||
| CVE-2025-45953 | 1 Phpgurukul | 1 Hostel Management System | 2025-04-30 | 9.1 Critical |
| A vulnerability was found in PHPGurukul Hostel Management System 2.1 in the /hostel/change-password.php file of the user panel - Change Password component. Improper handling of session data allows a Session Hijacking attack, exploitable remotely | ||||
| CVE-2022-30769 | 1 Zoneminder | 1 Zoneminder | 2025-04-30 | 4.6 Medium |
| Session fixation exists in ZoneMinder through 1.36.12 as an attacker can poison a session cookie to the next logged-in user. | ||||
| CVE-2022-43687 | 1 Concretecms | 1 Concrete Cms | 2025-04-30 | 5.4 Medium |
| Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | ||||
| CVE-2022-44007 | 1 Backclick | 1 Backclick | 2025-04-29 | 8.8 High |
| An issue was discovered in BACKCLICK Professional 5.9.63. Due to an unsafe implementation of session tracking, it is possible for an attacker to trick users into opening an authenticated user session for a session identifier known to the attacker, aka Session Fixation. | ||||
| CVE-2022-44788 | 1 Maggioli | 1 Appalti \& Contratti | 2025-04-29 | 6.5 Medium |
| An issue was discovered in Appalti & Contratti 9.12.2. It allows Session Fixation. When a user logs in providing a JSESSIONID cookie that is issued by the server at the first visit, the cookie value is not updated after a successful login. | ||||
| CVE-2022-24745 | 1 Shopware | 1 Shopware | 2025-04-23 | 4.8 Medium |
| Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions guest sessions are shared between customers when HTTP cache is enabled. This can lead to inconsistent experiences for guest users. Setups with Varnish are not affected by this issue. This issue has been resolved in version 6.4.8.2. Users unable to upgrade should disable the HTTP Cache. | ||||
| CVE-2022-24781 | 1 Geon Project | 1 Geon | 2025-04-23 | 7.1 High |
| Geon is a board game based on solving questions about the Pythagorean Theorem. Malicious users can obtain the uuid from other users, spoof that uuid through the browser console and become co-owners of the target session. This issue is patched in version 1.1.0. No known workaround exists. | ||||
| CVE-2025-42602 | 2025-04-23 | N/A | ||
| This vulnerability exists in Meon KYC solutions due to improper handling of access and refresh tokens in certain API endpoints of authentication process. A remote attacker could exploit this vulnerability by intercepting and manipulating the responses through API request body leading to unauthorized access of other user accounts. | ||||
| CVE-2022-38628 | 1 Niceforyou | 2 Linear Emerge E3 Access Control, Linear Emerge E3 Access Control Firmware | 2025-04-22 | 6.1 Medium |
| Nortek Linear eMerge E3-Series 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e were discovered to contain a cross-site scripting (XSS) vulnerability which is chained with a local session fixation. This vulnerability allows attackers to escalate privileges via unspecified vectors. | ||||
| CVE-2025-28242 | 2025-04-22 | 9.8 Critical | ||
| Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session hijacking attack. | ||||
| CVE-2025-28238 | 2025-04-22 | 9.8 Critical | ||
| Improper session management in Elber REBLE310 Firmware v5.5.1.R , Equipment Model: REBLE310/RX10/4ASI allows attackers to execute a session hijacking attack. | ||||
| CVE-2017-15304 | 1 Airtame | 2 Hdmi Dongle, Hdmi Dongle Firmware | 2025-04-20 | N/A |
| /bin/login.php in the Web Panel on the Airtame HDMI dongle with firmware before 3.0 allows an attacker to set his own session id via a "Cookie: PHPSESSID=" header. This can be used to achieve persistent access to the admin panel even after an admin password change. | ||||
| CVE-2015-1820 | 2 Redhat, Rest-client Project | 4 Cloudforms Managementengine, Satellite, Satellite Capsule and 1 more | 2025-04-20 | N/A |
| REST client for Ruby (aka rest-client) before 1.8.0 allows remote attackers to conduct session fixation attacks or obtain sensitive cookie information by leveraging passage of cookies set in a response to a redirect. | ||||
| CVE-2017-14263 | 1 Honeywell | 14 Enterprise Dvr, Enterprise Dvr Firmware, Fusion Iv Rev C and 11 more | 2025-04-20 | N/A |
| Honeywell NVR devices allow remote attackers to create a user account in the admin group by leveraging access to a guest account to obtain a session ID, and then sending that session ID in a userManager.addUser request to the /RPC2 URI. The attacker can login to the device with that new user account to fully control the device. | ||||
| CVE-2017-14163 | 1 Mahara | 1 Mahara | 2025-04-20 | N/A |
| An issue was discovered in Mahara before 15.04.14, 16.x before 16.04.8, 16.10.x before 16.10.5, and 17.x before 17.04.3. When one closes the browser without logging out of Mahara, the value in the usr_session table is not removed. If someone were to open a browser, visit the Mahara site, and adjust the 'mahara' cookie to the old value, they can get access to the user's account. | ||||