CWE:
 

Tytuł
Data
Autor
Low
OpenVPN Access Server 2.1.4 CRLF Injection
27.05.2017
SYSDREAM
Med.
Horsys v8 multiple vulnerabilities
23.06.2016
Florian Nivette
Med.
FancyFon FAMOC 3.16.5 Session Fixation
28.01.2015
Matthias Deeg
Med.
Jasper Server 5.5 Session Fixation
11.05.2014
Felipe Andrian Peixoto


Common Weakness Enumeration (CWE)

CVE
Szczegóły
Opis
2020-05-19
Medium
CVE-2020-8434

Vendor: Jenzabar
Software: Internet cam...
 

 
Jenzabar JICS (aka Internet Campus Solution) before 9.0.1 Patch 3, 9.1 before 9.1.2 Patch 2, and 9.2 before 9.2.2 Patch 8 has session cookies that are a deterministic function of the username. There is a hard-coded password to supply a PBKDF feeding into AES to encrypt a username and base64 encode it to a client-side cookie for persistent session authentication. By knowing the key and algorithm, an attacker can select any username, encrypt it, base64 encode it, and save it in their browser with the correct JICSLoginCookie cookie format to impersonate any real user in the JICS database without the need for authenticating (or verifying with MFA if implemented).

 
2020-05-18
Medium
CVE-2020-12258

Vendor: Rconfig
Software: Rconfig
 

 
rConfig 3.9.4 is vulnerable to session fixation because session expiry and randomization are mishandled. The application can reuse a session via PHPSESSID. Also, an attacker can exploit this vulnerability in conjunction with CVE-2020-12256 or CVE-2020-12259.

 
2020-05-13
Medium
CVE-2020-1993

Vendor: Paloaltonetworks
Software: Pan-os
 

 
The GlobalProtect Portal feature in PAN-OS does not set a new session identifier after a successful user login, which allows session fixation attacks, if an attacker is able to control a user's session ID. This issue affects: All PAN-OS 7.1 and 8.0 versions; PAN-OS 8.1 versions earlier than 8.1.14; PAN-OS 9.0 versions earlier than 9.0.8.

 
2020-05-07
Medium
CVE-2020-5894

Vendor: F5
Software: Nginx controller
 

 
On versions 3.0.0-3.3.0, the NGINX Controller webserver does not invalidate the server-side session token after users log out.

 
2020-04-29
Medium
CVE-2020-12467

Vendor: Intelliants
Software: Subrion
 

 
Subrion CMS 4.2.1 allows session fixation via an alphanumeric value in a session cookie.

 
2020-04-27
Medium
CVE-2020-1762

Vendor: Kiali
Software: Kiali
 

 
An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration.

 
2020-04-24
Low
CVE-2020-6824

Vendor: Mozilla
Software: Firefox
 

 
Initially, a user opens a Private Browsing Window and generates a password for a site, then closes the Private Browsing Window but leaves Firefox open. Subsequently, if the user had opened a new Private Browsing Window, revisited the same site, and generated a new password - the generated passwords would have been identical, rather than independent. This vulnerability affects Firefox < 75.

 
2020-04-15
Medium
CVE-2020-11728

Vendor: Davical
Software: Andrew\'s we...
 

 
An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Session management does not use a sufficiently hard-to-guess session key. Anyone who can guess the microsecond time (and the incrementing session_id) can impersonate a session.

 
Medium
CVE-2020-11729

Vendor: Davical
Software: Andrew\'s we...
 

 
An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Long-term session cookies, uses to provide long-term session continuity, are not generated securely, enabling a brute-force attack that may be successful.

 
2020-04-08
Medium
CVE-2020-8826

Vendor: CNCF
Software: Argo continu...
 

 

 

 


Copyright 2020, cxsecurity.com

 

Back to Top