CWE:
 

Topic
Date
Author
Low
OpenVPN Access Server 2.1.4 CRLF Injection
27.05.2017
SYSDREAM
Med.
Horsys v8 multiple vulnerabilities
23.06.2016
Florian Nivette
Med.
FancyFon FAMOC 3.16.5 Session Fixation
28.01.2015
Matthias Deeg
Med.
Jasper Server 5.5 Session Fixation
11.05.2014
Felipe Andrian Peixoto


CVEMAP Search Results

CVE
Details
Description
2019-05-31
Medium
CVE-2019-10045

Vendor: Pydio
Software: Pydio
 

 
The "action" get_sess_id in the web application of Pydio through 8.2.2 discloses the session cookie value in the response body, enabling scripts to get access to its value. This identifier can be reused by an attacker to impersonate a user and perform actions on behalf of him/her (if the session is still active).

 
2019-05-03
Medium
CVE-2019-1807

Vendor: Cisco
Software: Umbrella
 

 
A vulnerability in the session management functionality of the web UI for the Cisco Umbrella Dashboard could allow an authenticated, remote attacker to access the Dashboard via an active, user session. The vulnerability exists due to the affected application not invalidating an existing session when a user authenticates to the application and changes the users credentials via another authenticated session. An attacker could exploit this vulnerability by using a separate, authenticated, active session to connect to the application through the web UI. A successful exploit could allow the attacker to maintain access to the dashboard via an authenticated user's browser session. Cisco has addressed this vulnerability in the Cisco Umbrella Dashboard. No user action is required.

 
2019-04-30
Medium
CVE-2018-15208

Vendor: Bpcbt
Software: Smartvista
 

 
BPC SmartVista 2 has Session Fixation via the JSESSIONID parameter.

 
2019-04-24
Medium
CVE-2019-10008

Vendor: Zohocorp
Software: Servicedesk plus
 

 
Zoho ManageEngine ServiceDesk 9.3 allows session hijacking and privilege escalation because an established guest session is automatically converted into an established administrator session when the guest user enters the administrator username, with an arbitrary incorrect password, in an mc/ login attempt within a different browser tab.

 
2019-04-23
Medium
CVE-2017-12619

Vendor: Apache
Software: Zeppelin
 

 
Apache Zeppelin prior to 0.7.3 was vulnerable to session fixation which allowed an attacker to hijack a valid user session. Issue was reported by "stone lone".

 
2019-04-12
Medium
CVE-2019-11213

Vendor: Pulsesecure
Software: Pulse connec...
 

 
In Pulse Secure Pulse Desktop Client and Network Connect, an attacker could access session tokens to replay and spoof sessions, and as a result, gain unauthorized access as an end user, a related issue to CVE-2019-1573. (The endpoint would need to be already compromised for exploitation to succeed.) This affects Pulse Desktop Client 5.x before Secure Desktop 5.3R7 and Pulse Desktop Client 9.x before Secure Desktop 9.0R3. It also affects (for Network Connect customers) Pulse Connect Secure 8.1 before 8.1R14, 8.3 before 8.3R7, and 9.0 before 9.0R3.

 
2019-04-03
Medium
CVE-2015-5384

Vendor: Axiomsl
Software: Axiom
 

 
AxiomSL's Axiom Google Web Toolkit module 9.5.3 and earlier is vulnerable to a Session Fixation attack.

 
2019-04-02
Low
CVE-2018-1626

Vendor: IBM
Software: Security pri...
 

 
IBM Security Privileged Identity Manager Virtual Appliance 2.2.1 does not renew a session variable after a successful authentication which could lead to session fixation/hijacking vulnerability. This could force a user to utilize a cookie that may be known to an attacker. IBM X-Force ID: 144411.

 
2019-04-01
Medium
CVE-2019-5523

Updating...
 

 
VMware vCloud Director for Service Providers 9.5.x prior to 9.5.0.3 update resolves a Remote Session Hijack vulnerability in the Tenant and Provider Portals. Successful exploitation of this issue may allow a malicious actor to access the Tenant or Provider Portals by impersonating a currently logged in session.

 
2019-03-29
Medium
CVE-2017-18105

Vendor: Atlassian
Software: Crowd
 

 
The console login resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers, who have previously obtained a user's JSESSIONID cookie, to gain access to some of the built-in and potentially third party rest resources via a session fixation vulnerability.

 

 


Copyright 2019, cxsecurity.com

 

Back to Top