Rukovoditel <= 3.2.1 - Cross Site Scripting

A stored cross-site scripting XSS vulnerability in the Dashboard Configuration feature index.php?module=dashboardconfigure/index of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter after clicking "Ad...

EUVD-2010-4277

Malware in sbrugna...

EUVD-2001-1522

Malware in sbrugna...

EUVD-2014-2378

Malware in sbrugna...

EUVD-2024-23245

Malicious code in bioql PyPI...

CVE-2025-50492

Improper session invalidation in the component /edms/change-password.php of PHPGurukul e-Diary Management System v1 allows attackers to execute a session hijacking attack...

CVE-2023-40732

A vulnerability has been identified in QMS Automotive All versions V12.39. The QMS.Mobile module of the affected application does not invalidate the session token on logout. This could allow an attacker to perform session hijacking attacks...

CVE-2021-41553

In ARCHIBUS Web Central 21.3.3.815 a version from 2014, the Web Application in /archibus/login.axvw assign a session token that could be already in use by another user. It was therefore possible to access the application through a user whose credentials were not known, without any attempt by the...

CVE-2012-4581

McAfee Email and Web Security EWS 5.x before 5.5 Patch 6 and 5.6 before Patch 3, and McAfee Email Gateway MEG 7.0 before Patch 1, does not disable the server-side session token upon the closing of the Management Console/Dashboard, which makes it easier for remote attackers to hijack sessions by...

Hostel Management System change-password.php File Session Hijacking Vulnerability

Hostel Management System is a hostel management system. Hostel Management System has a session hijacking vulnerability that stems from improper handling of session data in the file /hostel/change-password.php, no details of the vulnerability are available at this time...

CVE-2025-27794

Flarum is open-source forum software. A session hijacking vulnerability exists in versions prior to 1.8.10 when an attacker-controlled authoritative subdomain under a parent domain e.g., subdomain.host.com sets cookies scoped to the parent domain .host.com. This allows session token replacement f...

CVE-2025-27794

Summary: CVE-2025-27794 affects Flarum versions prior to 1.8.10, where an attacker-controlled authoritative subdomain can set cookies for the parent domain, potentially enabling session hijacking on sibling subdomains. What is affected: Flarum core (pre-1.8.10) with cookies scoped to a parent dom...

CVE-2025-22960

A session hijacking vulnerability exists in the web-based management interface of GatesAir Maxiva UAXT, VAXT transmitters. Unauthenticated attackers can access exposed log files /logs/debug/xteLog, potentially revealing sensitive session-related information such as session IDs sessid and...

CVE-2025-22960

A session hijacking vulnerability exists in the web-based management interface of GatesAir Maxiva UAXT, VAXT transmitters. Unauthenticated attackers can access exposed log files /logs/debug/xteLog, potentially revealing sensitive session-related information such as session IDs sessid and...

CVE-2024-1052

Boundary and Boundary Enterprise “Boundary” is vulnerable to session hijacking through TLS certificate tampering. An attacker with privileges to enumerate active or pending sessions, obtain a private key pertaining to a session, and obtain a valid trust on first use TOFU token may craft a TLS...

CVE-2025-22387

An issue was discovered in Optimizely Configured Commerce before 5.2.2408. A medium-severity issue exists in requests for resources where the session token is submitted as a URL parameter. This exposes information about the authenticated session, which can be leveraged for session hijacking...

CVE-2023-42446 Pow Mnesia cache doesn't invalidate all expired keys on startup

Pow is a authentication and user management solution for Phoenix and Plug-based apps. Starting in version 1.0.14 and prior to version 1.0.34, use of Pow.Store.Backend.MnesiaCache is susceptible to session hijacking as expired keys are not being invalidated correctly on startup. A session may expi...

CVE-2021-46010

Totolink A3100R V5.9c.4577 suffers from Use of Insufficiently Random Values via the web configuration. The SESSIONID is predictable. An attacker can hijack a valid session and conduct further malicious operations...

CVE-2021-39066

IBM Financial Transaction Manager 3.2.4 does not invalidate session any existing session identifier gives an attacker the opportunity to steal authenticated sessions. IBM X-Force ID: 215040...

Exploit for Cross-Site Request Forgery (CSRF) in Bobronix Jeditor

CVE-2019-12836 !bobronixhttps://github.com/9lyph/CVE-2019-...