CWE:

	Tytuł	Data	Autor
Low	OpenVPN Access Server 2.1.4 CRLF Injection	27.05.2017	SYSDREAM
Med.	Horsys v8 multiple vulnerabilities	23.06.2016	Florian Nivette
Med.	FancyFon FAMOC 3.16.5 Session Fixation	28.01.2015	Matthias Deeg
Med.	Jasper Server 5.5 Session Fixation	11.05.2014	Felipe Andrian Peixoto

---

Common Weakness Enumeration (CWE)

CVE

Szczegóły

Opis

2020-05-19

Medium

CVE-2020-8434

Vendor: Jenzabar Software: Internet cam...

Jenzabar JICS (aka Internet Campus Solution) before 9.0.1 Patch 3, 9.1 before 9.1.2 Patch 2, and 9.2 before 9.2.2 Patch 8 has session cookies that are a deterministic function of the username. There is a hard-coded password to supply a PBKDF feeding into AES to encrypt a username and base64 encode it to a client-side cookie for persistent session authentication. By knowing the key and algorithm, an attacker can select any username, encrypt it, base64 encode it, and save it in their browser with the correct JICSLoginCookie cookie format to impersonate any real user in the JICS database without the need for authenticating (or verifying with MFA if implemented).

2020-05-18

Medium

CVE-2020-12258

Vendor: Rconfig Software: Rconfig

rConfig 3.9.4 is vulnerable to session fixation because session expiry and randomization are mishandled. The application can reuse a session via PHPSESSID. Also, an attacker can exploit this vulnerability in conjunction with CVE-2020-12256 or CVE-2020-12259.

2020-05-13

Medium

CVE-2020-1993

Vendor: Paloaltonetworks Software: Pan-os

The GlobalProtect Portal feature in PAN-OS does not set a new session identifier after a successful user login, which allows session fixation attacks, if an attacker is able to control a user's session ID. This issue affects: All PAN-OS 7.1 and 8.0 versions; PAN-OS 8.1 versions earlier than 8.1.14; PAN-OS 9.0 versions earlier than 9.0.8.

2020-05-07

Medium

CVE-2020-5894

Vendor: F5 Software: Nginx controller

On versions 3.0.0-3.3.0, the NGINX Controller webserver does not invalidate the server-side session token after users log out.

2020-04-29

Medium

CVE-2020-12467

Vendor: Intelliants Software: Subrion

Subrion CMS 4.2.1 allows session fixation via an alphanumeric value in a session cookie.

2020-04-27

Medium

CVE-2020-1762

Vendor: Kiali Software: Kiali

An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration.

2020-04-24

Low

CVE-2020-6824

Vendor: Mozilla Software: Firefox

Initially, a user opens a Private Browsing Window and generates a password for a site, then closes the Private Browsing Window but leaves Firefox open. Subsequently, if the user had opened a new Private Browsing Window, revisited the same site, and generated a new password - the generated passwords would have been identical, rather than independent. This vulnerability affects Firefox < 75.

2020-04-15

Medium	CVE-2020-11728	Vendor: Davical Software: Andrew\'s we...	An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Session management does not use a sufficiently hard-to-guess session key. Anyone who can guess the microsecond time (and the incrementing session_id) can impersonate a session.
Medium	CVE-2020-11729	Vendor: Davical Software: Andrew\'s we...	An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Long-term session cookies, uses to provide long-term session continuity, are not generated securely, enabling a brute-force attack that may be successful.

2020-04-08

Medium

CVE-2020-8826

Vendor: CNCF Software: Argo continu...

 

---

Copyright 2020, cxsecurity.com