• Skip to primary navigation
  • Skip to main content
CVE Vulnerability

CVE Vulnerability

  • CVE’s
  • Products
  • Vendors

CWE-384

CVE-2020-1762

February 26, 2023 by

An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration.

CVE-2020-15909

February 26, 2023 by

SolarWinds N-central through 2020.1 allows session hijacking and requires user interaction or physical access. The N-Central JSESSIONID cookie attribute is not checked against multiple sources such as sourceip, MFA claim, etc. as long as the victim stays logged in within N-Central. To take advantage of this, cookie could be stolen and the JSESSIONID can be captured. On its own this is not a surprising result; low security tools allow the cookie to roam from machine to machine. The JSESSION cookie can then be used on the attackers’ workstation by browsing to the victim’s NCentral server URL and replacing the JSESSIONID attribute value by the captured value. Expected behavior would be to check this against a second source and enforce at least a reauthentication or multi factor request as N-Central is a highly privileged service.

CVE-2020-15679

February 26, 2023 by

An OAuth session fixation vulnerability existed in the VPN login flow, where an attacker could craft a custom login URL, convince a VPN user to login via that URL, and obtain authenticated access as that user. This issue is limited to cases where attacker and victim are sharing the same source IP and could allow the ability to view session states and disconnect VPN sessions. This vulnerability affects Mozilla VPN iOS 1.0.7 < (929), Mozilla VPN Windows < 1.2.2, and Mozilla VPN Android 1.1.0 < (1360).

CVE-2020-15018

February 26, 2023 by

playSMS through 1.4.3 is vulnerable to session fixation.

CVE-2020-13229

February 26, 2023 by

An issue was discovered in Sysax Multi Server 6.90. A session can be hijacked if one observes the sid value in any /scgi URI, because it is an authentication token.

CVE-2020-12467

February 26, 2023 by

Subrion CMS 4.2.1 allows session fixation via an alphanumeric value in a session cookie.

  • « Go to Previous Page
  • Go to page 1
  • Interim pages omitted …
  • Go to page 12
  • Go to page 13
  • Go to page 14
  • Go to page 15
  • Go to page 16
  • Interim pages omitted …
  • Go to page 31
  • Go to Next Page »

Copyright CVE Vulnerabilities 2023
Data Sources:

  • NIST
  • MITRE
  • CVE Search
  • Open CVE