Total
370 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-24477 | 1 Nozominetworks | 2 Cmc, Guardian | 2024-11-21 | 7 High |
| In certain conditions, depending on timing and the usage of the Chrome web browser, Guardian/CMC versions before 22.6.2 do not always completely invalidate the user session upon logout. Thus an authenticated local attacker may gain acces to the original user's session. | ||||
| CVE-2023-21239 | 1 Google | 1 Android | 2024-11-21 | 5.5 Medium |
| In visitUris of Notification.java, there is a possible way to leak image data across user boundaries due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2023-21238 | 1 Google | 1 Android | 2024-11-21 | 5.5 Medium |
| In visitUris of RemoteViews.java, there is a possible leak of images between users due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2022-46480 | 1 U-tec | 2 Ultraloq Ul3 Bt, Ultraloq Ul3 Bt Firmware | 2024-11-21 | 8.1 High |
| Incorrect Session Management and Credential Re-use in the Bluetooth LE stack of the Ultraloq UL3 2nd Gen Smart Lock Firmware 02.27.0012 allows an attacker to sniff the unlock code and unlock the device whilst within Bluetooth range. | ||||
| CVE-2022-43398 | 1 Siemens | 4 7kg9501-0aa01-2aa1, 7kg9501-0aa01-2aa1 Firmware, 7kg9501-0aa31-2aa1 and 1 more | 2024-11-21 | 7.5 High |
| A vulnerability has been identified in POWER METER SICAM Q100 (All versions < V2.50), POWER METER SICAM Q100 (All versions < V2.50), POWER METER SICAM Q100 (All versions < V2.50), POWER METER SICAM Q100 (All versions < V2.50). Affected devices do not renew the session cookie after login/logout and also accept user defined session cookies. An attacker could overwrite the stored session cookie of a user. After the victim logged in, the attacker is given access to the user's account through the activated session. | ||||
| CVE-2022-3916 | 1 Redhat | 9 Enterprise Linux, Keycloak, Openshift Container Platform and 6 more | 2024-11-21 | 6.8 Medium |
| A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user. | ||||
| CVE-2022-38369 | 1 Apache | 1 Iotdb | 2024-11-21 | 8.8 High |
| Apache IoTDB version 0.13.0 is vulnerable by session id attack. Users should upgrade to version 0.13.1 which addresses this issue. | ||||
| CVE-2022-38054 | 1 Apache | 1 Airflow | 2024-11-21 | 9.8 Critical |
| In Apache Airflow versions 2.2.4 through 2.3.3, the `database` webserver session backend was susceptible to session fixation. | ||||
| CVE-2022-34536 | 1 Dw | 2 Megapix, Megapix Firmware | 2024-11-21 | 7.5 High |
| Digital Watchdog DW MEGApix IP cameras A7.2.2_20211029 allows attackers to access the core log file and perform session hijacking via a crafted session token. | ||||
| CVE-2022-34334 | 1 Ibm | 1 Sterling Partner Engagement Manager | 2024-11-21 | 6.5 Medium |
| IBM Sterling Partner Engagement Manager 2.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 229704. | ||||
| CVE-2022-33927 | 1 Dell | 1 Wyse Management Suite | 2024-11-21 | 5.4 Medium |
| Dell Wyse Management Suite 3.6.1 and below contains a Session Fixation vulnerability. A unauthenticated attacker could exploit this by taking advantage of a user with multiple active sessions in order to hijack a user's session. | ||||
| CVE-2022-31798 | 1 Nortekcontrol | 2 Emerge E3, Emerge E3 Firmware | 2024-11-21 | 6.1 Medium |
| Nortek Linear eMerge E3-Series 0.32-07p devices are vulnerable to /card_scan.php?CardFormatNo= XSS with session fixation (via PHPSESSID) when they are chained together. This would allow an attacker to take over an admin account or a user account. | ||||
| CVE-2022-2997 | 1 Snipeitapp | 1 Snipe-it | 2024-11-21 | 8.0 High |
| Session Fixation in GitHub repository snipe/snipe-it prior to 6.0.10. | ||||
| CVE-2022-2820 | 1 Namelessmc | 1 Nameless | 2024-11-21 | 7 High |
| Session Fixation in GitHub repository namelessmc/nameless prior to v2.0.2. | ||||
| CVE-2022-27305 | 1 Gibbonedu | 1 Gibbon | 2024-11-21 | 8.8 High |
| Gibbon v23 does not generate a new session ID cookie after a user authenticates, making the application vulnerable to session fixation. | ||||
| CVE-2022-26591 | 1 Fantec | 2 Mwid25-ds, Mwid25-ds Firmware | 2024-11-21 | 7.5 High |
| FANTEC GmbH MWiD25-DS Firmware v2.000.030 allows unauthenticated attackers to access and download arbitrary files via a crafted GET request. | ||||
| CVE-2022-25896 | 2 Passport Project, Redhat | 2 Passport, Acm | 2024-11-21 | 4.8 Medium |
| This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed. | ||||
| CVE-2022-24444 | 1 Silverstripe | 1 Silverstripe | 2024-11-21 | 6.5 Medium |
| Silverstripe silverstripe/framework through 4.10 allows Session Fixation. | ||||
| CVE-2022-22681 | 1 Synology | 1 Photo Station | 2024-11-21 | 8.1 High |
| Session fixation vulnerability in access control management in Synology Photo Station before 6.8.16-3506 allows remote attackers to bypass security constraint via unspecified vectors. | ||||
| CVE-2022-22551 | 1 Dell | 1 Emc Appsync | 2024-11-21 | 8.3 High |
| DELL EMC AppSync versions 3.9 to 4.3 use GET request method with sensitive query strings. An Adjacent, unauthenticated attacker could potentially exploit this vulnerability, and hijack the victim session. | ||||