Description
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
CVE vulnerabilities with CWE-384 (490)
10.0
CVSS
CRITICAL
CVE-2025-63224
pub. 2025-11-19
10.0
CVSS
CRITICAL
CVE-2025-63216
pub. 2025-11-18
10.0
CVSS
CRITICAL
CVE-2024-38513
pub. 2024-07-01
10.0
CVSS
CRITICAL
CVE-2021-20151
pub. 2021-12-30
9.8
CVSS
CRITICAL
CVE-2025-67446
pub. 2026-06-04
9.8
CVSS
CRITICAL
CVE-2025-59841
pub. 2025-09-25
9.8
CVSS
CRITICAL
CVE-2025-52689
pub. 2025-07-16
9.8
CVSS
CRITICAL
CVE-2025-45949
pub. 2025-04-28
9.8
CVSS
CRITICAL
CVE-2025-28238
pub. 2025-04-18
9.8
CVSS
CRITICAL
CVE-2025-28242
pub. 2025-04-18
9.8
CVSS
CRITICAL
CVE-2022-40916
pub. 2025-02-06
9.8
CVSS
CRITICAL
CVE-2024-57052
pub. 2025-01-27
9.8
CVSS
CRITICAL
CVE-2024-13279
pub. 2025-01-09
9.8
CVSS
CRITICAL
CVE-2024-23679
pub. 2024-01-19
9.8
CVSS
CRITICAL
CVE-2023-48929
pub. 2023-12-08
9.8
CVSS
CRITICAL
CVE-2023-42322
pub. 2023-09-20
9.8
CVSS
CRITICAL
CVE-2023-41012
pub. 2023-09-05
9.8
CVSS
CRITICAL
CVE-2023-31498
pub. 2023-05-11
9.8
CVSS
CRITICAL
CVE-2023-28316
pub. 2023-05-09
9.8
CVSS
CRITICAL
CVE-2021-36394
pub. 2023-03-06
Showing 20 of 490 vulnerabilities