CWE-384
AllowedSession Fixation
Abstraction: Compound · Status: Incomplete
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
547 vulnerabilities reference this CWE, most recent first.
GHSA-4CF6-Q58X-CJ63
Vulnerability from github – Published: 2025-01-28 00:32 – Updated: 2025-01-28 21:31An issue in youdiancms v.9.5.20 and before allows a remote attacker to escalate privileges via the sessionID parameter in the index.php file.
{
"affected": [],
"aliases": [
"CVE-2024-57052"
],
"database_specific": {
"cwe_ids": [
"CWE-384"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-27T23:15:09Z",
"severity": "CRITICAL"
},
"details": "An issue in youdiancms v.9.5.20 and before allows a remote attacker to escalate privileges via the sessionID parameter in the index.php file.",
"id": "GHSA-4cf6-q58x-cj63",
"modified": "2025-01-28T21:31:03Z",
"published": "2025-01-28T00:32:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57052"
},
{
"type": "WEB",
"url": "https://gist.github.com/yahaha9/720fb45bbebda62dc198568c8d275df8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4CWR-JP57-8CX6
Vulnerability from github – Published: 2025-03-05 06:31 – Updated: 2025-03-05 18:32Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Session Fixation OVE-20230524-0004.
{
"affected": [],
"aliases": [
"CVE-2025-27661"
],
"database_specific": {
"cwe_ids": [
"CWE-384"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-05T06:15:38Z",
"severity": "CRITICAL"
},
"details": "Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Session Fixation OVE-20230524-0004.",
"id": "GHSA-4cwr-jp57-8cx6",
"modified": "2025-03-05T18:32:08Z",
"published": "2025-03-05T06:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27661"
},
{
"type": "WEB",
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4FWJ-M62Q-PP47
Vulnerability from github – Published: 2024-12-30 16:46 – Updated: 2024-12-31 18:42Impact
A vulnerability has been reported in Password Pusher where an attacker can copy the session cookie before a user logs out, potentially allowing session hijacking.
Although the session token is replaced and invalidated upon logout, if an attacker manages to capture the session cookie before this process, they can use the token to gain unauthorized access to the user's session until the token expires or is manually cleared.
This vulnerability hinges on the attacker's ability to access the session cookie during an active session, either through a man-in-the-middle attack, by exploiting another vulnerability like XSS, or via direct access to the victim's device.
Patches
Although there is no direct resolution to this vulnerability, it is recommended to always use the latest version of Password Pusher to best mitigate risk.
Workarounds
If self-hosting, ensure Password Pusher is hosted exclusively over SSL connections to encrypt traffic and prevent session cookies from being intercepted in transit. Additionally, implement best practices in local security to safeguard user systems, browsers, and data against unauthorized access.
To further mitigate session hijacking risks, Password Pusher implements the following security measures:
- Automatic Session Expiration: Sessions are automatically expired after 2 hours of inactivity, reducing the window for potential exploitation.
- Session Reset on Login and Logout: Sessions are fully reset both when a user logs in and logs out, ensuring that session tokens are not reusable post-logout. This practice invalidates old session tokens and issues new ones, minimizing the risk of session hijacking.
- Encrypted Cookies: Cookies are encrypted using the value of SECRET_KEY_BASE from the application's configuration. This encryption adds a layer of protection against tampering or reading the session cookie's contents if intercepted, although it doesn't prevent the cookie from being used if stolen.
Note: While these measures significantly enhance security, they are part of a broader security strategy.
References
- https://edgeguides.rubyonrails.org/security.html#session-hijacking
Credits
Thank you to Positive Technologies for reporting and working with me to bring this CVE to the community.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "pwpush"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.50.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-56733"
],
"database_specific": {
"cwe_ids": [
"CWE-384"
],
"github_reviewed": true,
"github_reviewed_at": "2024-12-30T16:46:43Z",
"nvd_published_at": "2024-12-30T17:15:09Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nA vulnerability has been reported in Password Pusher where an attacker can copy the session cookie before a user logs out, potentially allowing session hijacking.\n\nAlthough the session token is replaced and invalidated upon logout, if an attacker manages to capture the session cookie before this process, they can use the token to gain unauthorized access to the user\u0027s session until the token expires or is manually cleared.\n\nThis vulnerability hinges on the attacker\u0027s ability to access the session cookie during an active session, either through a man-in-the-middle attack, by exploiting another vulnerability like XSS, or via direct access to the victim\u0027s device.\n\n### Patches\n\nAlthough there is no direct resolution to this vulnerability, it is recommended to always use the latest version of Password Pusher to best mitigate risk.\n\n### Workarounds\n\nIf self-hosting, ensure Password Pusher is hosted exclusively over SSL connections to encrypt traffic and prevent session cookies from being intercepted in transit. Additionally, implement best practices in local security to safeguard user systems, browsers, and data against unauthorized access.\n\nTo further mitigate session hijacking risks, Password Pusher implements the following security measures:\n\n1. **Automatic Session Expiration**: Sessions are automatically expired after 2 hours of inactivity, reducing the window for potential exploitation.\n2. **Session Reset on Login and Logout**: Sessions are fully reset both when a user logs in and logs out, ensuring that session tokens are not reusable post-logout. This practice invalidates old session tokens and issues new ones, minimizing the risk of session hijacking.\n3. **Encrypted Cookies**: Cookies are encrypted using the value of SECRET_KEY_BASE from the application\u0027s configuration. This encryption adds a layer of protection against tampering or reading the session cookie\u0027s contents if intercepted, although it doesn\u0027t prevent the cookie from being used if stolen.\n\n**Note**: While these measures significantly enhance security, they are part of a broader security strategy.\n\n### References\n\n* https://edgeguides.rubyonrails.org/security.html#session-hijacking\n\n### Credits\n\nThank you to [Positive Technologies](https://www.ptsecurity.com/ww-en/) for reporting and working with me to bring this CVE to the community.\n\n",
"id": "GHSA-4fwj-m62q-pp47",
"modified": "2024-12-31T18:42:50Z",
"published": "2024-12-30T16:46:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-4fwj-m62q-pp47"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56733"
},
{
"type": "PACKAGE",
"url": "https://github.com/pglombardo/PasswordPusher"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/pwpush/CVE-2024-56733.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Password Pusher Allows Session Token Interception Leading to Potential Hijacking"
}
GHSA-4HFH-6X8G-GWPP
Vulnerability from github – Published: 2026-06-09 06:31 – Updated: 2026-06-09 06:31A WebFlux application with a compromised subdomain (for example, compromised via cross-site scripting (XSS)) is vulnerable to an escalation attack exchanging a known session ID for that of an authenticated user.
Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
{
"affected": [],
"aliases": [
"CVE-2026-41839"
],
"database_specific": {
"cwe_ids": [
"CWE-384"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-09T05:16:35Z",
"severity": "MODERATE"
},
"details": "A WebFlux application with a compromised subdomain (for example, compromised via cross-site scripting (XSS)) is vulnerable to an escalation attack exchanging a known session ID for that of an authenticated user.\n\nAffected versions:\nSpring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.",
"id": "GHSA-4hfh-6x8g-gwpp",
"modified": "2026-06-09T06:31:57Z",
"published": "2026-06-09T06:31:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41839"
},
{
"type": "WEB",
"url": "https://spring.io/security/cve-2026-41839"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4HRP-M3F2-643J
Vulnerability from github – Published: 2024-01-19 21:30 – Updated: 2026-01-22 20:51Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-4m5p-5w5w-3jcf. This link is maintained to preserve external references.
Original Description
Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.enonic.xp:lib-auth"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.7.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-384"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-29T22:30:31Z",
"nvd_published_at": "2024-01-19T21:15:10Z",
"severity": "CRITICAL"
},
"details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-4m5p-5w5w-3jcf. This link is maintained to preserve external references.\n\n## Original Description\nEnonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.",
"id": "GHSA-4hrp-m3f2-643j",
"modified": "2026-01-22T20:51:55Z",
"published": "2024-01-19T21:30:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23679"
},
{
"type": "WEB",
"url": "https://github.com/enonic/xp/issues/9253"
},
{
"type": "WEB",
"url": "https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff"
},
{
"type": "WEB",
"url": "https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4"
},
{
"type": "WEB",
"url": "https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-4m5p-5w5w-3jcf"
},
{
"type": "WEB",
"url": "https://vulncheck.com/advisories/vc-advisory-GHSA-4m5p-5w5w-3jcf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: Session fixation in Enonic XP",
"withdrawn": "2026-01-22T20:51:55Z"
}
GHSA-4JQ6-G4XR-95FP
Vulnerability from github – Published: 2022-05-24 16:56 – Updated: 2024-04-04 02:00An internal product security audit discovered a session handling vulnerability in the web interface of ThinkAgile CP-SB (Storage Block) BMC in firmware versions prior to 1908.M. This vulnerability allows session IDs to be reused, which could provide unauthorized access to the BMC under certain circumstances. This vulnerability does not affect ThinkSystem XCC, System x IMM2, or other BMCs.
{
"affected": [],
"aliases": [
"CVE-2019-6161"
],
"database_specific": {
"cwe_ids": [
"CWE-384"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-26T16:15:00Z",
"severity": "HIGH"
},
"details": "An internal product security audit discovered a session handling vulnerability in the web interface of ThinkAgile CP-SB (Storage Block) BMC in firmware versions prior to 1908.M. This vulnerability allows session IDs to be reused, which could provide unauthorized access to the BMC under certain circumstances. This vulnerability does not affect ThinkSystem XCC, System x IMM2, or other BMCs.",
"id": "GHSA-4jq6-g4xr-95fp",
"modified": "2024-04-04T02:00:56Z",
"published": "2022-05-24T16:56:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6161"
},
{
"type": "WEB",
"url": "https://support.lenovo.com/solutions/LEN-26957"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4M3M-PPVX-XGW9
Vulnerability from github – Published: 2023-04-21 22:33 – Updated: 2023-04-24 15:56Applications using @fastify/passport for user authentication, in combination with @fastify/session as the underlying session management mechanism, are vulnerable to session fixation attacks from network and same-site attackers.
Details
fastify applications rely on the @fastify/passport library for user authentication. The login and user validation are performed by the authenticate function. When executing this function, the sessionId is preserved between the pre-login and the authenticated session. Network and same-site attackers can hijack the victim's session by tossing a valid sessionId cookie in the victim's browser and waiting for the victim to log in on the website.
Fix
As a solution, newer versions of @fastify/passport regenerate sessionId upon login, preventing the attacker-controlled pre-session cookie from being upgraded to an authenticated session.
Credits
- Pedro Adão (@pedromigueladao), Instituto Superior Técnico, University of Lisbon
- Marco Squarcina (@lavish), Security & Privacy Research Unit, TU Wien
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@fastify/passport"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@fastify/passport"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-29019"
],
"database_specific": {
"cwe_ids": [
"CWE-384"
],
"github_reviewed": true,
"github_reviewed_at": "2023-04-21T22:33:30Z",
"nvd_published_at": "2023-04-21T23:15:20Z",
"severity": "HIGH"
},
"details": "Applications using `@fastify/passport` for user authentication, in combination with `@fastify/session` as the underlying session management mechanism, are vulnerable to [session fixation attacks](https://owasp.org/www-community/attacks/Session_fixation) from network and same-site attackers.\n\n## Details\nfastify applications rely on the `@fastify/passport` library for user authentication. The login and user validation are performed by the `authenticate` function. When executing this function, the `sessionId` is preserved between the pre-login and the authenticated session. Network and [same-site attackers](https://canitakeyoursubdomain.name/) can hijack the victim\u0027s session by tossing a valid `sessionId` cookie in the victim\u0027s browser and waiting for the victim to log in on the website.\n\n## Fix\nAs a solution, newer versions of `@fastify/passport` regenerate `sessionId` upon login, preventing the attacker-controlled pre-session cookie from being upgraded to an authenticated session.\n\n## Credits\n* Pedro Ad\u00e3o (@pedromigueladao), [Instituto Superior T\u00e9cnico, University of Lisbon](https://tecnico.ulisboa.pt/)\n* Marco Squarcina (@lavish), [Security \u0026 Privacy Research Unit, TU Wien](https://secpriv.wien/)",
"id": "GHSA-4m3m-ppvx-xgw9",
"modified": "2023-04-24T15:56:25Z",
"published": "2023-04-21T22:33:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fastify/fastify-passport/security/advisories/GHSA-4m3m-ppvx-xgw9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29019"
},
{
"type": "WEB",
"url": "https://github.com/fastify/fastify-passport/commit/43c82c321db58ea3e375dd475de60befbfcf2a11"
},
{
"type": "PACKAGE",
"url": "https://github.com/fastify/fastify-passport"
},
{
"type": "WEB",
"url": "https://owasp.org/www-community/attacks/Session_fixation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Session fixation in fastify-passport"
}
GHSA-4M5P-5W5W-3JCF
Vulnerability from github – Published: 2022-10-12 20:13 – Updated: 2026-01-22 20:52Impact
All id-providers using lib-auth login method.
Patches
https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842 https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4
Workarounds
Don't use lib-auth for login.
Java API uses low-level structures and allows to invalidate previous session before auth-info is added.
References
https://github.com/enonic/xp/issues/9253
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.enonic.xp:lib-auth"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.7.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-23679"
],
"database_specific": {
"cwe_ids": [
"CWE-384"
],
"github_reviewed": true,
"github_reviewed_at": "2022-10-12T20:13:46Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Impact\nAll id-providers using lib-auth `login` method.\n\n### Patches\nhttps://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff\nhttps://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842\nhttps://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4\n\n### Workarounds\nDon\u0027t use lib-auth for `login`. \nJava API uses low-level structures and allows to invalidate previous session before auth-info is added.\n\n### References\n\nhttps://github.com/enonic/xp/issues/9253",
"id": "GHSA-4m5p-5w5w-3jcf",
"modified": "2026-01-22T20:52:01Z",
"published": "2022-10-12T20:13:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23679"
},
{
"type": "WEB",
"url": "https://github.com/enonic/xp/issues/9253"
},
{
"type": "WEB",
"url": "https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff"
},
{
"type": "WEB",
"url": "https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4"
},
{
"type": "WEB",
"url": "https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842"
},
{
"type": "PACKAGE",
"url": "https://github.com/enonic/xp"
},
{
"type": "WEB",
"url": "https://vulncheck.com/advisories/vc-advisory-GHSA-4m5p-5w5w-3jcf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "com.enonic.xp:lib-auth vulnerable to Session Fixation"
}
GHSA-4MH4-9H6C-9MC5
Vulnerability from github – Published: 2022-05-17 03:00 – Updated: 2022-05-17 03:00Tivoli Storage Manager Operations Center could allow a local user to take over a previously logged in user due to session expiration not being enforced.
{
"affected": [],
"aliases": [
"CVE-2016-6043"
],
"database_specific": {
"cwe_ids": [
"CWE-384"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-02-01T20:59:00Z",
"severity": "HIGH"
},
"details": "Tivoli Storage Manager Operations Center could allow a local user to take over a previously logged in user due to session expiration not being enforced.",
"id": "GHSA-4mh4-9h6c-9mc5",
"modified": "2022-05-17T03:00:55Z",
"published": "2022-05-17T03:00:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6043"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg21995754"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/95090"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4MX2-9GRF-8F85
Vulnerability from github – Published: 2026-03-26 15:30 – Updated: 2026-03-26 15:30HCL Aftermarket DPC is affected by Session Fixation which allows attacker to takeover the user's session and use it carry out unauthorized transaction behalf of the user.
{
"affected": [],
"aliases": [
"CVE-2025-55266"
],
"database_specific": {
"cwe_ids": [
"CWE-384"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-26T13:16:25Z",
"severity": "MODERATE"
},
"details": "HCL Aftermarket DPC is affected by Session Fixation which allows attacker to takeover the user\u0027s session and use it carry out unauthorized transaction behalf of the user.",
"id": "GHSA-4mx2-9grf-8f85",
"modified": "2026-03-26T15:30:38Z",
"published": "2026-03-26T15:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55266"
},
{
"type": "WEB",
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0129793"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
Invalidate any existing session identifiers prior to authorizing a new user session.
Mitigation
For platforms such as ASP that do not generate new values for sessionid cookies, utilize a secondary cookie. In this approach, set a secondary cookie on the user's browser to a random value and set a session variable to the same value. If the session variable and the cookie value ever don't match, invalidate the session, and force the user to log on again.
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-196: Session Credential Falsification through Forging
An attacker creates a false but functional session credential in order to gain or usurp access to a service. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. If an attacker is able to forge valid session credentials they may be able to bypass authentication or piggy-back off some other authenticated user's session. This attack differs from Reuse of Session IDs and Session Sidejacking attacks in that in the latter attacks an attacker uses a previous or existing credential without modification while, in a forging attack, the attacker must create their own credential, although it may be based on previously observed credentials.
CAPEC-21: Exploitation of Trusted Identifiers
An adversary guesses, obtains, or "rides" a trusted identifier (e.g. session ID, resource ID, cookie, etc.) to perform authorized actions under the guise of an authenticated user or service.
CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies
This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information.
CAPEC-39: Manipulating Opaque Client-based Data Tokens
In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.
CAPEC-59: Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
CAPEC-60: Reusing Session IDs (aka Session Replay)
This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
CAPEC-61: Session Fixation
The attacker induces a client to establish a session with the target software using a session identifier provided by the attacker. Once the user successfully authenticates to the target software, the attacker uses the (now privileged) session identifier in their own transactions. This attack leverages the fact that the target software either relies on client-generated session identifiers or maintains the same session identifiers after privilege elevation.