CVEbaza.plCWE DictionaryCWE-384
Common Weakness Enumeration

CWE-384

Session Fixation

Category: CompoundCVE: 490
Description

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

CVE vulnerabilities with CWE-384 (490)
10.0
CVSS
CRITICAL
CVE-2025-63224

The Itel DAB Encoder (IDEnc build 25aec8d) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to authenticate and gain administrative access to any other device running the same firmware, even if the passwords and networks are different. This allows full compromise of affected devices.

pub. 2025-11-19
10.0
CVSS
CRITICAL
CVE-2025-63216

The Itel DAB Gateway (IDGat build c041640a) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to authenticate and gain administrative access to any other device running the same firmware, even if the passwords and networks are different. This allows full compromise of affected devices.

pub. 2025-11-18
10.0
CVSS
CRITICAL
CVE-2024-38513

Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior to 2.52.5 is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows users to supply their own session_id value, resulting in the creation of a session with that key. If a website relies on the mere presence of a session for security purposes, this can lead to significant security risks, including unauthorized access and session fixation attacks. All users utilizing GoFiber's session middleware in the affected versions are impacted. The issue has been addressed in version 2.52.5. Users are strongly encouraged to upgrade to version 2.52.5 or higher to mitigate this vulnerability. Users who are unable to upgrade immediately can apply the following workarounds to reduce the risk: Either implement additional validation to ensure session IDs are not supplied by the user and are securely generated by the server, or regularly rotate session IDs and enforce strict session expiration policies.

pub. 2024-07-01
10.0
CVSS
CRITICAL
CVE-2021-20151

Trendnet AC2600 TEW-827DRU version 2.08B01 contains a flaw in the session management for the device. The router's management software manages web sessions based on IP address rather than verifying client cookies/session tokens/etc. This allows an attacker (whether from a different computer, different web browser on the same machine, etc.) to take over an existing session. This does require the attacker to be able to spoof or take over original IP address of the original user's session.

pub. 2021-12-30
9.8
CVSS
CRITICAL
CVE-2025-67446

Improper Authentication (Authentication Bypass) exists in Neterbit NW-431F Router 20241014-IR03 and before. The router uses a weak/predictable cookie value for authentication. By modifying the cookie value (e.g., setting it to "admin"), an attacker can bypass the authentication schema and gain unauthorized access to admin functionalities.

pub. 2026-06-04
9.8
CVSS
CRITICAL
CVE-2025-59841

Flag Forge is a Capture The Flag (CTF) platform. In versions from 2.2.0 to before 2.3.1, the FlagForge web application improperly handles session invalidation. Authenticated users can continue to access protected endpoints, such as /api/profile, even after logging out. CSRF tokens are also still valid post-logout, which can allow unauthorized actions. This issue has been patched in version 2.3.1.

pub. 2025-09-25
9.8
CVSS
CRITICAL
CVE-2025-52689

Successful exploitation of the vulnerability could allow an unauthenticated attacker to obtain a valid session ID with administrator privileges by spoofing the login request, potentially allowing the attacker to modify the behaviour of the access point.

pub. 2025-07-16
9.8
CVSS
CRITICAL
CVE-2025-45949

A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /loginsystem/change-password.php file of the user panel - Change Password component. Improper handling of session data allows a Session Hijacking attack, exploitable remotely and leading to account takeover.

pub. 2025-04-28
9.8
CVSS
CRITICAL
CVE-2025-28238

Improper session management in Elber REBLE310 Firmware v5.5.1.R , Equipment Model: REBLE310/RX10/4ASI allows attackers to execute a session hijacking attack.

pub. 2025-04-18
9.8
CVSS
CRITICAL
CVE-2025-28242

Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session hijacking attack.

pub. 2025-04-18
9.8
CVSS
CRITICAL
CVE-2022-40916

Tiny File Manager v2.4.7 and below is vulnerable to session fixation.

pub. 2025-02-06
9.8
CVSS
CRITICAL
CVE-2024-57052

An issue in youdiancms v.9.5.20 and before allows a remote attacker to escalate privileges via the sessionID parameter in the index.php file.

pub. 2025-01-27
9.8
CVSS
CRITICAL
CVE-2024-13279

Session Fixation vulnerability in Drupal Two-factor Authentication (TFA) allows Session Fixation.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.8.0.

pub. 2025-01-09
9.8
CVSS
CRITICAL
CVE-2024-23679

Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.

pub. 2024-01-19
9.8
CVSS
CRITICAL
CVE-2023-48929

Franklin Fueling Systems System Sentinel AnyWare (SSA) version 1.6.24.492 is vulnerable to Session Fixation. The 'sid' parameter in the group_status.asp resource allows an attacker to escalate privileges and obtain sensitive information.

pub. 2023-12-08
9.8
CVSS
CRITICAL
CVE-2023-42322

Insecure Permissions vulnerability in icmsdev iCMS v.7.0.16 allows a remote attacker to obtain sensitive information.

pub. 2023-09-20
9.8
CVSS
CRITICAL
CVE-2023-41012

An issue in China Mobile Communications China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to execute arbitrary code via the authentication mechanism.

pub. 2023-09-05
9.8
CVSS
CRITICAL
CVE-2023-31498

A privilege escalation issue was found in PHP Gurukul Hospital Management System In v.4.0 allows a remote attacker to execute arbitrary code and access sensitive information via the session token parameter.

pub. 2023-05-11
9.8
CVSS
CRITICAL
CVE-2023-28316

A security vulnerability has been discovered in the implementation of 2FA on the rocket.chat platform, where other active sessions are not invalidated upon activating 2FA. This could potentially allow an attacker to maintain access to a compromised account even after 2FA is enabled.

pub. 2023-05-09
9.8
CVSS
CRITICAL
CVE-2021-36394

In Moodle, a remote code execution risk was identified in the Shibboleth authentication plugin.

pub. 2023-03-06
Showing 20 of 490 vulnerabilities
Information
ID: CWE-384
Type: Compound
Vulnerabilities: 490
MITRE CWE ↗
← CWE Dictionary
CWE-384 — Session Fixation | CWE Dictionary | CVEbaza.pl