36 matches found
CVE-2026-46367
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craft URLs with unescaped quotes to inject event handlers, stealing admin session cookies and achieving...
CVE-2026-42155
Magento Long Term Support LTS is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to 20.18.0, the XML-RPC / SOAP API session ID is generated using an outdated, time-based...
Design/Logic Flaw
Node.js 12.18.4 and 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture ...
CVE-2017-17476
Open Ticket Request System OTRS 4.0.x before 4.0.28, 5.0.x before 5.0.26, and 6.0.x before 6.0.3, when cookie support is disabled, might allow remote attackers to hijack web sessions and consequently gain privileges via a crafted email...
F5 Networks BIG-IP : Linux TCP stack vulnerability (K46514822)
net/ipv4/tcpinput.c in the Linux kernel before 4.7 does not properly determine the rate of challenge ACK segments, which makes it easier for man-in-the-middle attackers to hijack TCP sessions via a blind in-window attack. CVE-2016-5696 C Tenable Network Security, Inc. The descriptive text and...
CVE-2015-8124
Session fixation vulnerability in the "Remember Me" login feature in Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 allows remote attackers to hijack web sessions via a session id...
CVE-2014-4831
IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allow remote attackers to hijack sessions via unspecified vectors...
Ubuntu 14.04 LTS : Django vulnerabilities (USN-2347-1)
The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-2347-1 advisory. Florian Apolloner discovered that Django incorrectly validated URLs. A remote attacker could use this issue to conduct phishing attacks. CVE-2014-0480...
Session fixation
Session fixation vulnerability in IBM Initiate Master Data Service 9.5 before 9.5.093013, 9.7 before 9.7.093013, 10.0 before 10.0.093013, and 10.1 before 10.1.093013 allows remote attackers to hijack web sessions via unspecified vectors...
CVE-2014-3909
CVE-2014-3909 describes a session-fixation vulnerability in WisePoint (Falcon System Consulting) versions 4.1.19.7 and earlier. The issue allows an attacker to hijack or impersonate a logged-in user through unspecified vectors targeting web sessions. Affected component: WisePoint software; root c...
CVE-2014-3909
Session fixation vulnerability in Falcon WisePoint 4.1.19.7 and earlier allows remote attackers to hijack web sessions via unspecified vectors...
CVE-2013-7387
CVE-2013-7387 affects DataLife Engine (DLE) 9.7 and earlier . The vulnerability is a session fixation flaw allowing remote attackers to hijack web sessions via the PHPSESSID cookie. The connected documents specify the affected product/version and the attack vector but do not provide concrete reme...
Session fixation
Session fixation vulnerability in EMC VPLEX GeoSynchrony 4.x and 5.x before 5.3 allows remote attackers to hijack web sessions via unspecified vectors...
CVE-2014-2047
Session fixation vulnerability in ownCloud before 6.0.2, when PHP is configured to accept session parameters through a GET request, allows remote attackers to hijack web sessions via unspecified vectors...
Design/Logic Flaw
IBM InfoSphere Information Server 8.0, 8.1, 8.5 through FP3, 8.7, and 9.1 allows remote attackers to hijack sessions and read cookie values, or conduct phishing attacks to capture credentials, via unspecified vectors...
CVE-2012-4937
Session fixation vulnerability in the web interface in Pattern Insight 2.3 allows remote attackers to hijack web sessions via a jsessionid cookie...
Code injection
HP Business Availability Center BAC 8.07 allows remote authenticated users to hijack web sessions via unspecified vectors...
CVE-2011-3424
Session fixation vulnerability in the Managed File Transfer server in TIBCO Managed File Transfer Internet Server before 7.1.1 and Managed File Transfer Command Center before 7.1.1, and the server in TIBCO Slingshot before 1.8.1, allows remote attackers to hijack web sessions via unspecified...
Barracuda Web Firewall 660 Firmware 7.3.1.007 - Multiple Vulnerabilities
Pentest Information: ==================== GESEC Team remove discover a input validation vulnerability on Barracuda - Web Application Firewall 660 Appliance. A remote attacker is able to get sensitive customer sessions hijackor can implement script routines & malicious codesserver-side|persistent...
CVE-2009-3657
CVE-2009-3657 describes a session fixation vulnerability in the Drupal-related module “Shared Sign-On” versions 5.x and 6.x. The issue allows remote attackers to hijack user sessions via unspecified vectors, as noted in the NVD entry and related records. The vulnerability is characterized as a se...