Common Weakness Enumeration

CWE-384

Allowed

Session Fixation

Abstraction: Compound · Status: Incomplete

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

547 vulnerabilities reference this CWE, most recent first.

GHSA-X2P9-2JC3-8GPP

Vulnerability from github – Published: 2024-04-12 18:33 – Updated: 2024-04-12 18:33
VLAI
Details

Dell Storage Resource Manager, 4.9.0.0 and below, contain(s) a Session Fixation Vulnerability in SRM Windows Host Agent. An adjacent network unauthenticated attacker could potentially exploit this vulnerability, leading to the hijack of a targeted user's application session.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0157"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-384",
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-12T17:17:21Z",
    "severity": "MODERATE"
  },
  "details": "Dell Storage Resource Manager, 4.9.0.0 and below, contain(s) a Session Fixation Vulnerability in SRM Windows Host Agent. An adjacent network unauthenticated attacker could potentially exploit this vulnerability, leading to the hijack of a targeted user\u0027s application session.",
  "id": "GHSA-x2p9-2jc3-8gpp",
  "modified": "2024-04-12T18:33:27Z",
  "published": "2024-04-12T18:33:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0157"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-nz/000224070/dsa-2024-143-dell-storage-resource-manager-srm-and-dell-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X2V6-HM65-M6VW

Vulnerability from github – Published: 2023-01-05 09:30 – Updated: 2023-01-11 18:30
VLAI
Details

A vulnerability in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an remote attacker to persist a session after a password reset or similar session clearing event. Successful exploitation of this vulnerability could allow an authenticated attacker to remain on the system with the permissions of their current session after the session should be invalidated in Aruba EdgeConnect Enterprise Orchestration Software version(s): Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators - Orchestrator 9.2.1.40179 and below, - Orchestrator 9.1.4.40436 and below, - Orchestrator 9.0.7.40110 and below, - Orchestrator 8.10.23.40015 and below, - Any older branches of Orchestrator not specifically mentioned.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-43529"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-384"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-05T07:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an remote attacker to persist a session after a password reset or similar session clearing event. Successful exploitation of this vulnerability could allow an authenticated attacker to remain on the system with the permissions of their current session after the session should be invalidated in Aruba EdgeConnect Enterprise Orchestration Software version(s): Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators - Orchestrator 9.2.1.40179 and below, - Orchestrator 9.1.4.40436 and below, - Orchestrator 9.0.7.40110 and below, - Orchestrator 8.10.23.40015 and below, - Any older branches of Orchestrator not specifically mentioned.",
  "id": "GHSA-x2v6-hm65-m6vw",
  "modified": "2023-01-11T18:30:32Z",
  "published": "2023-01-05T09:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43529"
    },
    {
      "type": "WEB",
      "url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-021.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X3PR-VRHQ-VQ43

Vulnerability from github – Published: 2026-03-20 20:49 – Updated: 2026-03-25 20:31
VLAI
Summary
AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration
Details

Summary

AVideo's _session_start() function accepts arbitrary session IDs via the PHPSESSID GET parameter and sets them as the active PHP session. A session regeneration bypass exists for specific blacklisted endpoints when the request originates from the same domain. Combined with the explicitly disabled session regeneration in User::login(), this allows a classic session fixation attack where an attacker can fix a victim's session ID before authentication and then hijack the authenticated session.

Details

The vulnerability is a chain of three weaknesses that together enable session fixation:

1. Attacker-controlled session ID acceptance (objects/functionsPHP.php:344-367)

function _session_start(array $options = [])
{
    // ...
    if (isset($_GET['PHPSESSID']) && !_empty($_GET['PHPSESSID'])) {
        $PHPSESSID = $_GET['PHPSESSID'];
        // ...
        if (!User::isLogged()) {
            if ($PHPSESSID !== session_id()) {
                _session_write_close();
                session_id($PHPSESSID);   // <-- sets session to attacker's ID
            }
            $session = @session_start($options);  // <-- starts with attacker's ID

The code reads $_GET['PHPSESSID'] and programmatically calls session_id($PHPSESSID), which bypasses both session.use_only_cookies and session.use_strict_mode PHP settings since the session ID is set via the PHP API, not via cookie/URL handling.

2. Session regeneration bypass for blacklisted endpoints (objects/functionsPHP.php:375-378, objects/functions.php:3100-3116)

// functionsPHP.php:375-378
if (!blackListRegenerateSession()) {
    _session_regenerate_id();  // <-- SKIPPED when blacklisted + same-domain
}
// functions.php:3100-3116
function blackListRegenerateSession()
{
    if (!requestComesFromSafePlace()) {
        return false;
    }
    $list = [
        'objects/getCaptcha.php',
        'objects/userCreate.json.php',
        'objects/videoAddViewCount.json.php',
    ];
    foreach ($list as $needle) {
        if (str_ends_with($_SERVER['SCRIPT_NAME'], $needle)) {
            return true;  // <-- regeneration skipped for these endpoints
        }
    }
    return false;
}

The requestComesFromSafePlace() check at objects/functionsSecurity.php:182 only verifies that HTTP_REFERER matches the AVideo domain. When a victim clicks a link from within the AVideo platform (e.g., in a comment or video description), the browser naturally sets the Referer to the AVideo domain, satisfying this check.

3. Disabled session regeneration on login (objects/user.php:1315-1317)

// Call custom session regenerate logic
// this was regenerating the session all the time, making harder to save info in the session
//_session_regenerate_id();  // <-- COMMENTED OUT

The session regeneration after authentication is explicitly disabled. This means the session ID persists unchanged through the login transition, which is the fundamental requirement for session fixation to succeed.

Amplifying factors

  • objects/phpsessionid.json.php exposes session IDs to any same-origin JavaScript without authentication (line 12: $obj->phpsessid = session_id())
  • view/js/session.js stores the session ID in a global window.PHPSESSID variable and logs it to console (line 15)
  • No session-to-IP or session-to-user-agent binding exists (verified via codebase search)

PoC

Step 1: Attacker obtains a session ID

# Attacker visits the site to get a valid session ID
curl -v https://target.example.com/ 2>&1 | grep 'set-cookie.*PHPSESSID'
# Response: Set-Cookie: PHPSESSID=attacker_known_session_id; ...

Step 2: Attacker injects a link on the platform

The attacker posts a comment on a video or creates content containing a link:

https://target.example.com/objects/getCaptcha.php?PHPSESSID=attacker_known_session_id

This can be placed in a video comment, video description, user bio, or forum post — anywhere AVideo renders user-provided links.

Step 3: Victim clicks the link while browsing AVideo

When the victim clicks the link from within the AVideo platform: 1. Browser sets Referer: https://target.example.com/... (same-domain) 2. _session_start() processes $_GET['PHPSESSID'], victim is not logged in, so session_id('attacker_known_session_id') is called 3. blackListRegenerateSession() returns true (script is getCaptcha.php + same-domain Referer) 4. _session_regenerate_id() is skipped 5. Victim's session is now fixed to attacker_known_session_id

Step 4: Victim logs in

The victim navigates to the login page and authenticates. User::login() populates $_SESSION['user'] but does NOT regenerate the session ID (line 1317 is commented out).

Step 5: Attacker hijacks the authenticated session

# Attacker uses the known session ID to access victim's account
curl -b "PHPSESSID=attacker_known_session_id" https://target.example.com/objects/user.php?userAPI=1
# Response: victim's user data, confirming session hijack

Impact

  • Full account takeover: An attacker can hijack any user's authenticated session, including administrator accounts
  • Data access: Full access to the victim's videos, private content, messages, and personal information
  • Privilege escalation: If the victim is an admin, the attacker gains full administrative control over the AVideo instance
  • Lateral actions: The attacker can perform any action as the victim — upload/delete content, modify settings, access admin panel

Recommended Fix

Fix 1: Re-enable session regeneration on login (objects/user.php:1317)

// Replace the commented-out line:
//_session_regenerate_id();

// With:
_session_regenerate_id();

This is the most critical fix. Session regeneration on authentication transition is a fundamental defense against session fixation (OWASP recommendation).

Fix 2: Remove GET-based session ID acceptance (objects/functionsPHP.php:344-383)

Remove or restrict the $_GET['PHPSESSID'] handling entirely. If it is needed for specific use cases (e.g., CAPTCHA), validate the session ID against a server-side token rather than blindly accepting arbitrary values:

// Instead of accepting any GET PHPSESSID, remove this block entirely.
// If CAPTCHA requires session continuity, pass a CSRF token instead.
if (isset($_GET['PHPSESSID']) && !_empty($_GET['PHPSESSID'])) {
    // REMOVED: Do not accept session IDs from URL parameters
}

Fix 3: Remove session ID exposure (objects/phpsessionid.json.php, view/js/session.js)

The phpsessionid.json.php endpoint and the session.js global variable negate the httponly cookie flag. If JavaScript needs to reference the session for AJAX requests, the browser automatically includes session cookies — there is no need to expose the session ID value to JavaScript.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33492"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-384"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-20T20:49:23Z",
    "nvd_published_at": "2026-03-23T16:16:49Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nAVideo\u0027s `_session_start()` function accepts arbitrary session IDs via the `PHPSESSID` GET parameter and sets them as the active PHP session. A session regeneration bypass exists for specific blacklisted endpoints when the request originates from the same domain. Combined with the explicitly disabled session regeneration in `User::login()`, this allows a classic session fixation attack where an attacker can fix a victim\u0027s session ID before authentication and then hijack the authenticated session.\n\n## Details\n\nThe vulnerability is a chain of three weaknesses that together enable session fixation:\n\n### 1. Attacker-controlled session ID acceptance (`objects/functionsPHP.php:344-367`)\n\n```php\nfunction _session_start(array $options = [])\n{\n    // ...\n    if (isset($_GET[\u0027PHPSESSID\u0027]) \u0026\u0026 !_empty($_GET[\u0027PHPSESSID\u0027])) {\n        $PHPSESSID = $_GET[\u0027PHPSESSID\u0027];\n        // ...\n        if (!User::isLogged()) {\n            if ($PHPSESSID !== session_id()) {\n                _session_write_close();\n                session_id($PHPSESSID);   // \u003c-- sets session to attacker\u0027s ID\n            }\n            $session = @session_start($options);  // \u003c-- starts with attacker\u0027s ID\n```\n\nThe code reads `$_GET[\u0027PHPSESSID\u0027]` and programmatically calls `session_id($PHPSESSID)`, which bypasses both `session.use_only_cookies` and `session.use_strict_mode` PHP settings since the session ID is set via the PHP API, not via cookie/URL handling.\n\n### 2. Session regeneration bypass for blacklisted endpoints (`objects/functionsPHP.php:375-378`, `objects/functions.php:3100-3116`)\n\n```php\n// functionsPHP.php:375-378\nif (!blackListRegenerateSession()) {\n    _session_regenerate_id();  // \u003c-- SKIPPED when blacklisted + same-domain\n}\n```\n\n```php\n// functions.php:3100-3116\nfunction blackListRegenerateSession()\n{\n    if (!requestComesFromSafePlace()) {\n        return false;\n    }\n    $list = [\n        \u0027objects/getCaptcha.php\u0027,\n        \u0027objects/userCreate.json.php\u0027,\n        \u0027objects/videoAddViewCount.json.php\u0027,\n    ];\n    foreach ($list as $needle) {\n        if (str_ends_with($_SERVER[\u0027SCRIPT_NAME\u0027], $needle)) {\n            return true;  // \u003c-- regeneration skipped for these endpoints\n        }\n    }\n    return false;\n}\n```\n\nThe `requestComesFromSafePlace()` check at `objects/functionsSecurity.php:182` only verifies that `HTTP_REFERER` matches the AVideo domain. When a victim clicks a link from within the AVideo platform (e.g., in a comment or video description), the browser naturally sets the Referer to the AVideo domain, satisfying this check.\n\n### 3. Disabled session regeneration on login (`objects/user.php:1315-1317`)\n\n```php\n// Call custom session regenerate logic\n// this was regenerating the session all the time, making harder to save info in the session\n//_session_regenerate_id();  // \u003c-- COMMENTED OUT\n```\n\nThe session regeneration after authentication is explicitly disabled. This means the session ID persists unchanged through the login transition, which is the fundamental requirement for session fixation to succeed.\n\n### Amplifying factors\n\n- `objects/phpsessionid.json.php` exposes session IDs to any same-origin JavaScript without authentication (line 12: `$obj-\u003ephpsessid = session_id()`)\n- `view/js/session.js` stores the session ID in a global `window.PHPSESSID` variable and logs it to console (line 15)\n- No session-to-IP or session-to-user-agent binding exists (verified via codebase search)\n\n## PoC\n\n### Step 1: Attacker obtains a session ID\n\n```bash\n# Attacker visits the site to get a valid session ID\ncurl -v https://target.example.com/ 2\u003e\u00261 | grep \u0027set-cookie.*PHPSESSID\u0027\n# Response: Set-Cookie: PHPSESSID=attacker_known_session_id; ...\n```\n\n### Step 2: Attacker injects a link on the platform\n\nThe attacker posts a comment on a video or creates content containing a link:\n\n```\nhttps://target.example.com/objects/getCaptcha.php?PHPSESSID=attacker_known_session_id\n```\n\nThis can be placed in a video comment, video description, user bio, or forum post \u2014 anywhere AVideo renders user-provided links.\n\n### Step 3: Victim clicks the link while browsing AVideo\n\nWhen the victim clicks the link from within the AVideo platform:\n1. Browser sets `Referer: https://target.example.com/...` (same-domain)\n2. `_session_start()` processes `$_GET[\u0027PHPSESSID\u0027]`, victim is not logged in, so `session_id(\u0027attacker_known_session_id\u0027)` is called\n3. `blackListRegenerateSession()` returns `true` (script is `getCaptcha.php` + same-domain Referer)\n4. `_session_regenerate_id()` is **skipped**\n5. Victim\u0027s session is now fixed to `attacker_known_session_id`\n\n### Step 4: Victim logs in\n\nThe victim navigates to the login page and authenticates. `User::login()` populates `$_SESSION[\u0027user\u0027]` but does NOT regenerate the session ID (line 1317 is commented out).\n\n### Step 5: Attacker hijacks the authenticated session\n\n```bash\n# Attacker uses the known session ID to access victim\u0027s account\ncurl -b \"PHPSESSID=attacker_known_session_id\" https://target.example.com/objects/user.php?userAPI=1\n# Response: victim\u0027s user data, confirming session hijack\n```\n\n## Impact\n\n- **Full account takeover**: An attacker can hijack any user\u0027s authenticated session, including administrator accounts\n- **Data access**: Full access to the victim\u0027s videos, private content, messages, and personal information\n- **Privilege escalation**: If the victim is an admin, the attacker gains full administrative control over the AVideo instance\n- **Lateral actions**: The attacker can perform any action as the victim \u2014 upload/delete content, modify settings, access admin panel\n\n## Recommended Fix\n\n### Fix 1: Re-enable session regeneration on login (`objects/user.php:1317`)\n\n```php\n// Replace the commented-out line:\n//_session_regenerate_id();\n\n// With:\n_session_regenerate_id();\n```\n\nThis is the most critical fix. Session regeneration on authentication transition is a fundamental defense against session fixation (OWASP recommendation).\n\n### Fix 2: Remove GET-based session ID acceptance (`objects/functionsPHP.php:344-383`)\n\nRemove or restrict the `$_GET[\u0027PHPSESSID\u0027]` handling entirely. If it is needed for specific use cases (e.g., CAPTCHA), validate the session ID against a server-side token rather than blindly accepting arbitrary values:\n\n```php\n// Instead of accepting any GET PHPSESSID, remove this block entirely.\n// If CAPTCHA requires session continuity, pass a CSRF token instead.\nif (isset($_GET[\u0027PHPSESSID\u0027]) \u0026\u0026 !_empty($_GET[\u0027PHPSESSID\u0027])) {\n    // REMOVED: Do not accept session IDs from URL parameters\n}\n```\n\n### Fix 3: Remove session ID exposure (`objects/phpsessionid.json.php`, `view/js/session.js`)\n\nThe `phpsessionid.json.php` endpoint and the `session.js` global variable negate the `httponly` cookie flag. If JavaScript needs to reference the session for AJAX requests, the browser automatically includes session cookies \u2014 there is no need to expose the session ID value to JavaScript.",
  "id": "GHSA-x3pr-vrhq-vq43",
  "modified": "2026-03-25T20:31:06Z",
  "published": "2026-03-20T20:49:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-x3pr-vrhq-vq43"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33492"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/5647a94d79bf69a972a86653fe02144079948785"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration"
}

GHSA-X6F9-GGPF-G22C

Vulnerability from github – Published: 2022-01-22 00:00 – Updated: 2022-01-28 00:03
VLAI
Details

DELL EMC AppSync versions 3.9 to 4.3 use GET request method with sensitive query strings. An Adjacent, unauthenticated attacker could potentially exploit this vulnerability, and hijack the victim session.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22551"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-384"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-21T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "DELL EMC AppSync versions 3.9 to 4.3 use GET request method with sensitive query strings. An Adjacent, unauthenticated attacker could potentially exploit this vulnerability, and hijack the victim session.",
  "id": "GHSA-x6f9-ggpf-g22c",
  "modified": "2022-01-28T00:03:09Z",
  "published": "2022-01-22T00:00:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22551"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/000195377"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-X6P9-8CRM-X3HF

Vulnerability from github – Published: 2026-05-29 18:31 – Updated: 2026-05-29 18:31
VLAI
Details

QuickCMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session.

This issue was fixed in a patch to version 6.8 published on 15.05.2026, deployments without this patch are still vulnerable.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-33384"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-384"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-29T16:16:25Z",
    "severity": "MODERATE"
  },
  "details": "QuickCMS allows a user\u0027s session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID\nfor a victim and later hijack the authenticated session.\n\nThis issue was fixed in a patch to version 6.8 published on 15.05.2026, deployments without this patch are still vulnerable.",
  "id": "GHSA-x6p9-8crm-x3hf",
  "modified": "2026-05-29T18:31:33Z",
  "published": "2026-05-29T18:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33384"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/posts/2026/05/CVE-2026-33384"
    },
    {
      "type": "WEB",
      "url": "https://opensolution.org/home.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-X86V-P8FR-6C2M

Vulnerability from github – Published: 2023-06-19 18:30 – Updated: 2024-04-04 04:57
VLAI
Details

Vulnerability of services denied by early fingerprint APIs on HarmonyOS products.Successful exploitation of this vulnerability may cause services to be denied.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-34156"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-384"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-19T17:15:12Z",
    "severity": "MODERATE"
  },
  "details": "Vulnerability of services denied by early fingerprint APIs on HarmonyOS products.Successful exploitation of this vulnerability may cause services to be denied.",
  "id": "GHSA-x86v-p8fr-6c2m",
  "modified": "2024-04-04T04:57:48Z",
  "published": "2023-06-19T18:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34156"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2023/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X9Q4-QWFH-9GJQ

Vulnerability from github – Published: 2023-01-26 21:30 – Updated: 2023-02-06 16:44
VLAI
Summary
Session fixation vulnerability in Jenkins Bitbucket OAuth Plugin
Details

Jenkins Bitbucket OAuth Plugin 0.12 and earlier does not invalidate the previous session on login.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:bitbucket-oauth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-24427"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-384"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-27T01:09:22Z",
    "nvd_published_at": "2023-01-26T21:18:00Z",
    "severity": "CRITICAL"
  },
  "details": "Jenkins Bitbucket OAuth Plugin 0.12 and earlier does not invalidate the previous session on login.",
  "id": "GHSA-x9q4-qwfh-9gjq",
  "modified": "2023-02-06T16:44:09Z",
  "published": "2023-01-26T21:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24427"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/bitbucket-oauth-plugin/commit/b73ac285f8cfcc9727f089c6b2c7f13412285e7c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/bitbucket-oauth-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2982"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Session fixation vulnerability in Jenkins Bitbucket OAuth Plugin "
}

GHSA-XCHH-23FV-6M64

Vulnerability from github – Published: 2026-01-06 18:31 – Updated: 2026-01-06 21:30
VLAI
Details

All-Dynamics Software enlogic:show 2.0.2 contains a session fixation vulnerability that allows attackers to set a predefined PHP session identifier during the login process. Attackers can forge HTTP GET requests to welcome.php with a manipulated session token to bypass authentication and potentially execute cross-site request forgery attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-36913"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-384"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-06T16:15:47Z",
    "severity": "HIGH"
  },
  "details": "All-Dynamics Software enlogic:show 2.0.2 contains a session fixation vulnerability that allows attackers to set a predefined PHP session identifier during the login process. Attackers can forge HTTP GET requests to welcome.php with a manipulated session token to bypass authentication and potentially execute cross-site request forgery attacks.",
  "id": "GHSA-xchh-23fv-6m64",
  "modified": "2026-01-06T21:30:34Z",
  "published": "2026-01-06T18:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36913"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/186246"
    },
    {
      "type": "WEB",
      "url": "https://packetstorm.news/files/id/158703"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/files/158703"
    },
    {
      "type": "WEB",
      "url": "https://www.enlogic-show.com/index.dhtml/23695c31af422b939dd049908/-/deDE/-/CS/-/support/changelog"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/all-dynamics-software-enlogicshow-session-fixation-authentication-bypass"
    },
    {
      "type": "WEB",
      "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5577.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XCP9-F3W5-GQQW

Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-05-24 17:44
VLAI
Details

The authentication token required to execute NSDP write requests on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices is not properly invalidated and can be reused until a new token is generated, which allows attackers (with access to network traffic) to effectively gain administrative privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-35229"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-384"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-10T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "The authentication token required to execute NSDP write requests on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices is not properly invalidated and can be reused until a new token is generated, which allows attackers (with access to network traffic) to effectively gain administrative privileges.",
  "id": "GHSA-xcp9-f3w5-gqqw",
  "modified": "2022-05-24T17:44:05Z",
  "published": "2022-05-24T17:44:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35229"
    },
    {
      "type": "WEB",
      "url": "https://research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XJ2W-28HG-8JJR

Vulnerability from github – Published: 2022-02-03 00:00 – Updated: 2022-02-06 00:01
VLAI
Details

IBM Financial Transaction Manager 3.2.4 does not invalidate session any existing session identifier gives an attacker the opportunity to steal authenticated sessions. IBM X-Force ID: 215040.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39066"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-384"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-02T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Financial Transaction Manager 3.2.4 does not invalidate session any existing session identifier gives an attacker the opportunity to steal authenticated sessions. IBM X-Force ID: 215040.",
  "id": "GHSA-xj2w-28hg-8jjr",
  "modified": "2022-02-06T00:01:09Z",
  "published": "2022-02-03T00:00:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39066"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/215040"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6527892"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design

Invalidate any existing session identifiers prior to authorizing a new user session.

Mitigation
Architecture and Design

For platforms such as ASP that do not generate new values for sessionid cookies, utilize a secondary cookie. In this approach, set a secondary cookie on the user's browser to a random value and set a session variable to the same value. If the session variable and the cookie value ever don't match, invalidate the session, and force the user to log on again.

Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-196: Session Credential Falsification through Forging

An attacker creates a false but functional session credential in order to gain or usurp access to a service. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. If an attacker is able to forge valid session credentials they may be able to bypass authentication or piggy-back off some other authenticated user's session. This attack differs from Reuse of Session IDs and Session Sidejacking attacks in that in the latter attacks an attacker uses a previous or existing credential without modification while, in a forging attack, the attacker must create their own credential, although it may be based on previously observed credentials.

CAPEC-21: Exploitation of Trusted Identifiers

An adversary guesses, obtains, or "rides" a trusted identifier (e.g. session ID, resource ID, cookie, etc.) to perform authorized actions under the guise of an authenticated user or service.

CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies

This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information.

CAPEC-39: Manipulating Opaque Client-based Data Tokens

In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.

CAPEC-59: Session Credential Falsification through Prediction

This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

CAPEC-60: Reusing Session IDs (aka Session Replay)

This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.

CAPEC-61: Session Fixation

The attacker induces a client to establish a session with the target software using a session identifier provided by the attacker. Once the user successfully authenticates to the target software, the attacker uses the (now privileged) session identifier in their own transactions. This attack leverages the fact that the target software either relies on client-generated session identifiers or maintains the same session identifiers after privilege elevation.