Fortinet FortiWeb - Weak generation of WAF session IDs leads to session fixation (FG-IR-21-214)

The version of FortiWeb installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the FG-IR-21-214 advisory. - A condition for session fixation vulnerability CWE-384 in the session management of FortiWeb versions 6.4 all versions, 6.3....

CVE-2021-42761

A condition for session fixation vulnerability CWE-384 in the session management of FortiWeb versions 6.4 all versions, 6.3.0 through 6.3.16, 6.2.0 through 6.2.6, 6.1.0 through 6.1.2, 6.0.0 through 6.0.7, 5.9.0 through 5.9.1 may allow a remote, unauthenticated attacker to infer the session...

CVE-2021-42761

CVE-2021-42761 affects FortiWeb WAF session management. A session-fixation condition could allow a remote, unauthenticated attacker to infer other users’ session identifiers and potentially hijack sessions. Affected FortiWeb versions include 6.4 (all), 6.3.0–6.3.16, 6.2.0–6.2.6, 6.1.0–6.1.2, 6.0....

Jenkins Enterprise and Operations Center 2.346.x < 2.346.40.0.6 / 2.361.3.4 Multiple Vulnerabilities (CloudBees Security Advisory 2022-11-15)

The version of Jenkins Enterprise or Jenkins Operations Center running on the remote web server is 2.346.x prior to 2.346.40.0.6 or 2.x prior to 2.361.3.4. It is, therefore, affected by multiple vulnerabilities including the following: - CVE-2022-38751 on snakeyaml fixed train 2.346.x.0.z BEE-237...

curl: Cookie injection from non-secure context

Summary: Curl allows injecting cookies over insecure HTTP connection that will then be sent to the target site when connecting over HTTPS. As documented in lib/cookie.c https://github.com/curl/curl/blob/a04f0b961333e1a19848d073d8c7db9c20b2a371/lib/cookie.cL1039 this should not be possible: / A...

CVE-2021-32543

The CVE-2021-32543 issue affects the CTS Web transaction system (authentication management) from Cascade Information Technology, Taiwan. The root cause is an incorrect authentication implementation that allows a post-login attacker to manipulate cookies, access other accounts, and trade in the st...

JVN#52695336: EC-CUBE vulnerable to session fixation

EC-CUBE provided by LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains a session fixation vulnerability CWE-384. Impact A remote attacker impersonating a logged in user may perform an unintended operation with the user's privilege. Solution Update the Softwa...

CVE-2017-0356

A flaw, similar to to CVE-2016-9646, exists in ikiwiki before 3.20170111, in the passwordauth plugin's use of CGI::FormBuilder, allowing an attacker to bypass authentication via repeated parameters...

OpenVPN Access Server 2.1.4 CRLF Injection

OpenVPN Access Server : CRLF injection with Session fixation Description OpenVPN Access Server is a full featured secure network tunneling VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client...

Revive Adserver 4.0.0 XSS / Deserialization / Session Fixation Vulnerabilities

Revive Adserver versions 4.0.0 and below suffer from cross site scripting, session fixation, and deserialization of untrusted data vulnerabilities. Revive Adserver 4.0.0 XSS / Deserialization / Session Fixation Applications affected: Revive Adserver Versions affected: = 4.0.1 Website:...

CVE-2014-2060

The CVE-2014-2060 entry describes a vulnerability in Jenkins where the Winstone servlet container (org.jenkins-ci:winstone) used by Jenkins before version 1.551 and LTS before 1.532.2 allows remote attackers to hijack user sessions via unspecified vectors. The impact is session hijacking without ...

Jasper Server 5.5 Session Fixation

Session Fixation / Hijacking on JasperServer + Date: 09/05/2014 + Risk: High + CWE number: CWE-384 + Author: Felipe Andrian Peixoto + Vendor Homepage: http://www.jaspersoft.com/ + Software Download : http://sourceforge.net/projects/jasperserver/ + Contact: [email protected] + Tested on:...

Siemens SIMATIC WinCC Vulnerabilities (Update A)

OVERVIEW This updated advisory is a follow-up to the original advisory titled ICSA-14-205-02 Siemens SIMATIC WinCC Vulnerabilities that was published July 24, 2014, on the NCCIC/ICS-CERT web site. Researchers Sergey Gordeychik, Alexander Tlyapov, Dmitry Nagibin, and Gleb Gritsai of Positive...