SUSE CVE-2019-12746

An issue was discovered in Open Ticket Request System OTRS Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. A user logged into OTRS as an agent might unknowingly disclose their session ID by sharing the link of an embedded ticket article with third parties. This identifier can be...

SUSE CVE-2021-3634

A flaw has been found in libssh in versions prior to 0.9.6. The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called secrethash and the other sessionid. Initially, both of them are the same, but after key re-exchange, previous sessionid is kept...

SUSE CVE-2021-34428

For Eclipse Jetty versions = 9.4.40, = 10.0.2, = 11.0.2, if an exception is thrown from the SessionListenersessionDestroyed method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being...

UBUNTU-CVE-2022-24895

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enable...

PT-2023-1575 · Symfony +4 · Symfony +4

Name of the Vulnerable Software and Affected Versions: Symfony versions prior to 4.4 Description: The issue is related to incorrect session management in Symfony, a PHP framework for web and console applications. When authenticating users, Symfony by default regenerates the session ID upon login...

CVE-2022-46910

creationtimestamp| type| source ---|---|--- 2022-12-20 22:12:47+00:00| seen| https://t.me/cibsecurity/55004...

PT-2022-24784 · Red Hat · Keycloak

Name of the Vulnerable Software and Affected Versions: Keycloak affected versions not specified Description: A flaw was found in the offline access scope in Keycloak, affecting users of shared computers more, especially if cookies are not cleared. This issue is due to a lack of root session...

Session Fixation

Overview tribalsystems/zenario is a Zenario is a web-based content management system for sites with one or many languages. Affected versions of this package are vulnerable to Session Fixation such that the user session identifier authentication token is issued to the browser prior to authenticati...

CVE-2022-44007

An issue was discovered in BACKCLICK Professional 5.9.63. Due to an unsafe implementation of session tracking, it is possible for an attacker to trick users into opening an authenticated user session for a session identifier known to the attacker, aka Session Fixation...

Red Hat Keycloak 代码问题漏洞

Red Hat Keycloak is a suite of software from Red Hat, Inc. that provides authentication and management capabilities for modern applications and services. A security vulnerability exists in Red Hat Keycloak offlineaccess, which stems from a lack of root session authentication and reuse of session...

The vulnerability of the Fortinet FortiDeceptor tool for detecting and responding to external and internal security threats is related to the incorrect validity period of the session. This allows attackers to escalate their privileges.

The vulnerability of the Fortinet FortiDeceptor tool for detecting and responding to external and internal security threats is related to the incorrect duration of the session. Exploiting this vulnerability allows a remote attacker to enhance their privileges by using the session identifier...

CVE-2022-42159

creationtimestamp| type| source ---|---|--- 2022-10-13 22:28:21+00:00| seen| https://t.me/cibsecurity/51356...

Inductive Automation Ignition 安全漏洞

Inductive Automation Ignition is a suite of integrated software platforms for SCADA systems from Inductive Automation, USA. The platform supports SCADA data acquisition and monitoring systems, HMI human machine interface and more. A security vulnerability exists in Inductive Automation Ignition...

CVE-2022-31273

An issue in TopIDP3000 Topsec Operating System tos3.3.005.665b.15smpidp allows attackers to perform a brute-force attack via a crafted sessionid cookie...

CVE-2021-35530 User authentication bypass in TXpert Hub CoreTec 4

A vulnerability in the application authentication and authorization mechanism in Hitachi Energy's TXpert Hub CoreTec 4, that depends on a token validation of the session identifier, allows an unauthorized modified message to be executed in the server enabling an unauthorized actor to change an...

Learn How Hackers Can Hijack Your Online Accounts Even Before You Create Them

Malicious actors can gain unauthorized access to users' online accounts via a new technique called "account pre-hijacking," latest research has found. The attack takes aim at the account creation process that's ubiquitous in websites and other online platforms, enabling an adversary to perform a...

Gibbon 授权问题漏洞

Gibbon is a school platform that solves real-world problems that educators encounter every day. A security vulnerability exists in Gibbon version v23 that stems from the application not generating a new session ID cookie after a user is authenticated.The application is vulnerable to session...

Mattermost Server allows users with a session ID to revoke another users' session

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. Knowledge of a session ID allows revoking another user's session...

GHSA-4JJJ-CM7Q-V6HR Jenkins Diagnostic page exposed session cookies

Jenkins shows various technical details about the current user on the /whoAmI page. In a previous fix, the Cookie header value containing the HTTP session ID was redacted. However, user metadata shown on this page could also include the HTTP session ID in Jenkins 2.218 and earlier, LTS 2.204.1 an...

GHSA-9XRJ-439H-62HG Improper Authentication in Apache Tomcat

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 caches information about the authenticated user within the session state, which makes it easier for remote attackers to bypass authentication via vectors related to...