CWE-384
AllowedSession Fixation
Abstraction: Compound · Status: Incomplete
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
547 vulnerabilities reference this CWE, most recent first.
GHSA-J634-QRVX-MFVR
Vulnerability from github – Published: 2025-01-30 21:31 – Updated: 2025-02-05 06:30A malicious actor can fix the session of a PAM user by tricking the user to click on a specially crafted link to the PAM server.
{
"affected": [],
"aliases": [
"CVE-2025-24503"
],
"database_specific": {
"cwe_ids": [
"CWE-384"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-30T19:15:16Z",
"severity": "CRITICAL"
},
"details": "A malicious actor can fix the session of a PAM user by tricking the user to click on a specially crafted link to the PAM server.",
"id": "GHSA-j634-qrvx-mfvr",
"modified": "2025-02-05T06:30:26Z",
"published": "2025-01-30T21:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24503"
},
{
"type": "WEB",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24678"
},
{
"type": "WEB",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25362"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-J744-6RWF-CHF5
Vulnerability from github – Published: 2025-10-15 15:30 – Updated: 2025-10-15 18:31Creativeitem Academy LMS up to and including 5.13 does not regenerate session IDs upon successful authentication, enabling session fixation attacks where attackers can hijack user sessions by predetermining session identifiers.
{
"affected": [],
"aliases": [
"CVE-2025-56746"
],
"database_specific": {
"cwe_ids": [
"CWE-384"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-15T14:15:52Z",
"severity": "LOW"
},
"details": "Creativeitem Academy LMS up to and including 5.13 does not regenerate session IDs upon successful authentication, enabling session fixation attacks where attackers can hijack user sessions by predetermining session identifiers.",
"id": "GHSA-j744-6rwf-chf5",
"modified": "2025-10-15T18:31:50Z",
"published": "2025-10-15T15:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-56746"
},
{
"type": "WEB",
"url": "https://suryadina.com/academy-lms-session-fixation-1t8v5n3q6h"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J76J-RQWJ-JMVV
Vulnerability from github – Published: 2024-09-09 21:31 – Updated: 2024-12-20 17:50Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-5rxp-2rhr-qwqv. This link is maintained to preserve external references.
Original Description
A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-services"
},
"ranges": [
{
"events": [
{
"introduced": "25.0.0"
},
{
"fixed": "25.0.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-services"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "22.0.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-services"
},
"ranges": [
{
"events": [
{
"introduced": "23.0.0"
},
{
"fixed": "24.0.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-384"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-09T22:33:50Z",
"nvd_published_at": "2024-09-09T19:15:14Z",
"severity": "HIGH"
},
"details": "# Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-5rxp-2rhr-qwqv. This link is maintained to preserve external references.\n\n# Original Description\nA session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when `the turnOffChangeSessionIdOnLogin` option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.",
"id": "GHSA-j76j-rqwj-jmvv",
"modified": "2024-12-20T17:50:21Z",
"published": "2024-09-09T21:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7341"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/2341d6ee7a3567c58fd6a04a419fe4403e13374c"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/5b3de0c7e7f367103affe2f5167913a2ce021cf1"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/5e06da2f6794c695051605e26a01affa3a18f66b"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6493"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6494"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6495"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6497"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6499"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6500"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6501"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6502"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6503"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-7341"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2302064"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Duplicate Advisory: Keycloak Session Fixation vulnerability",
"withdrawn": "2024-12-20T17:50:21Z"
}
GHSA-J7H5-C7XG-WP5C
Vulnerability from github – Published: 2025-04-23 12:31 – Updated: 2025-04-23 12:31This vulnerability exists in Meon KYC solutions due to improper handling of access and refresh tokens in certain API endpoints of authentication process. A remote attacker could exploit this vulnerability by intercepting and manipulating the responses through API request body leading to unauthorized access of other user accounts.
{
"affected": [],
"aliases": [
"CVE-2025-42602"
],
"database_specific": {
"cwe_ids": [
"CWE-384"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-23T11:15:46Z",
"severity": "HIGH"
},
"details": "This vulnerability exists in Meon KYC solutions due to improper handling of access and refresh tokens in certain API endpoints of authentication process. A remote attacker could exploit this vulnerability by intercepting and manipulating the responses through API request body leading to unauthorized access of other user accounts.",
"id": "GHSA-j7h5-c7xg-wp5c",
"modified": "2025-04-23T12:31:25Z",
"published": "2025-04-23T12:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-42602"
},
{
"type": "WEB",
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2025-0082"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-J95V-2QPJ-V897
Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-05-24 19:10A session fixation vulnerability exists in Citrix ADC and Citrix Gateway 13.0-82.45 when configured SAML service provider that could allow an attacker to hijack a session.
{
"affected": [],
"aliases": [
"CVE-2021-22927"
],
"database_specific": {
"cwe_ids": [
"CWE-384"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-05T21:15:00Z",
"severity": "HIGH"
},
"details": "A session fixation vulnerability exists in Citrix ADC and Citrix Gateway 13.0-82.45 when configured SAML service provider that could allow an attacker to hijack a session.",
"id": "GHSA-j95v-2qpj-v897",
"modified": "2022-05-24T19:10:06Z",
"published": "2022-05-24T19:10:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22927"
},
{
"type": "WEB",
"url": "https://support.citrix.com/article/CTX319135"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-J96G-47X2-46HV
Vulnerability from github – Published: 2022-05-14 03:15 – Updated: 2024-04-25 21:36The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "simplesamlphp/simplesamlphp"
},
"ranges": [
{
"events": [
{
"introduced": "1.14.12"
},
{
"fixed": "1.14.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-12868"
],
"database_specific": {
"cwe_ids": [
"CWE-384"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-25T21:36:37Z",
"nvd_published_at": "2017-09-01T13:29:00Z",
"severity": "CRITICAL"
},
"details": "The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation.",
"id": "GHSA-j96g-47x2-46hv",
"modified": "2024-04-25T21:36:37Z",
"published": "2022-05-14T03:15:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12868"
},
{
"type": "WEB",
"url": "https://github.com/simplesamlphp/simplesamlphp/commit/4bc629658e7b7d17c9ac3fe0da7dc5df71f1b85e"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12868.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/simplesamlphp/simplesamlphp"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00017.html"
},
{
"type": "WEB",
"url": "https://simplesamlphp.org/security/201705-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "SimpleSAMLphp Session fixation issue and authentication bypass in the authcrypt module"
}
GHSA-JFM4-64MR-FP54
Vulnerability from github – Published: 2025-12-01 15:30 – Updated: 2025-12-01 15:30A session fixation vulnerability exists in Blood Bank Management System 1.0 in login.php that allows an attacker to set or predict a user's session identifier prior to authentication. When the victim logs in, the application continues to use the attacker-supplied session ID rather than generating a new one, enabling the attacker to hijack the authenticated session and gain unauthorized access to the victim's account.
{
"affected": [],
"aliases": [
"CVE-2025-63529"
],
"database_specific": {
"cwe_ids": [
"CWE-384"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-01T15:15:51Z",
"severity": "MODERATE"
},
"details": "A session fixation vulnerability exists in Blood Bank Management System 1.0 in login.php that allows an attacker to set or predict a user\u0027s session identifier prior to authentication. When the victim logs in, the application continues to use the attacker-supplied session ID rather than generating a new one, enabling the attacker to hijack the authenticated session and gain unauthorized access to the victim\u0027s account.",
"id": "GHSA-jfm4-64mr-fp54",
"modified": "2025-12-01T15:30:18Z",
"published": "2025-12-01T15:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63529"
},
{
"type": "WEB",
"url": "https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing"
},
{
"type": "WEB",
"url": "https://github.com/Shridharshukl/Blood-Bank-Management-System"
},
{
"type": "WEB",
"url": "https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63529.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JGGJ-WJWC-8GG9
Vulnerability from github – Published: 2024-01-22 00:30 – Updated: 2024-01-29 18:31An issue was discovered in Mbed TLS through 3.5.1. In mbedtls_ssl_session_reset, the maximum negotiable TLS version is mishandled. For example, if the last connection negotiated TLS 1.2, then 1.2 becomes the new maximum.
{
"affected": [],
"aliases": [
"CVE-2023-52353"
],
"database_specific": {
"cwe_ids": [
"CWE-384"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-21T23:15:44Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Mbed TLS through 3.5.1. In mbedtls_ssl_session_reset, the maximum negotiable TLS version is mishandled. For example, if the last connection negotiated TLS 1.2, then 1.2 becomes the new maximum.",
"id": "GHSA-jggj-wjwc-8gg9",
"modified": "2024-01-29T18:31:46Z",
"published": "2024-01-22T00:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52353"
},
{
"type": "WEB",
"url": "https://github.com/Mbed-TLS/mbedtls/issues/8654"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JJ3C-2GGQ-FXGG
Vulnerability from github – Published: 2022-05-14 01:31 – Updated: 2022-05-14 01:31Various rest resources in Atlassian Crowd before version 3.2.7 and from version 3.3.0 before version 3.3.4 allow remote attackers to authenticate using an expired user session via an insufficient session expiration vulnerability.
{
"affected": [],
"aliases": [
"CVE-2018-20238"
],
"database_specific": {
"cwe_ids": [
"CWE-384"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-02-13T18:29:00Z",
"severity": "HIGH"
},
"details": "Various rest resources in Atlassian Crowd before version 3.2.7 and from version 3.3.0 before version 3.3.4 allow remote attackers to authenticate using an expired user session via an insufficient session expiration vulnerability.",
"id": "GHSA-jj3c-2ggq-fxgg",
"modified": "2022-05-14T01:31:21Z",
"published": "2022-05-14T01:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20238"
},
{
"type": "WEB",
"url": "https://jira.atlassian.com/browse/CWD-5361"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107036"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JJW4-68X5-3GJ6
Vulnerability from github – Published: 2022-05-17 01:23 – Updated: 2022-05-17 01:23Session fixation vulnerability in IBM Initiate Master Data Service 9.5 before 9.5.093013, 9.7 before 9.7.093013, 10.0 before 10.0.093013, and 10.1 before 10.1.093013 allows remote attackers to hijack web sessions via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2014-4789"
],
"database_specific": {
"cwe_ids": [
"CWE-384"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-09-10T10:55:00Z",
"severity": "MODERATE"
},
"details": "Session fixation vulnerability in IBM Initiate Master Data Service 9.5 before 9.5.093013, 9.7 before 9.7.093013, 10.0 before 10.0.093013, and 10.1 before 10.1.093013 allows remote attackers to hijack web sessions via unspecified vectors.",
"id": "GHSA-jjw4-68x5-3gj6",
"modified": "2022-05-17T01:23:17Z",
"published": "2022-05-17T01:23:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-4789"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/95059"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/60996"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21682450"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Invalidate any existing session identifiers prior to authorizing a new user session.
Mitigation
For platforms such as ASP that do not generate new values for sessionid cookies, utilize a secondary cookie. In this approach, set a secondary cookie on the user's browser to a random value and set a session variable to the same value. If the session variable and the cookie value ever don't match, invalidate the session, and force the user to log on again.
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-196: Session Credential Falsification through Forging
An attacker creates a false but functional session credential in order to gain or usurp access to a service. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. If an attacker is able to forge valid session credentials they may be able to bypass authentication or piggy-back off some other authenticated user's session. This attack differs from Reuse of Session IDs and Session Sidejacking attacks in that in the latter attacks an attacker uses a previous or existing credential without modification while, in a forging attack, the attacker must create their own credential, although it may be based on previously observed credentials.
CAPEC-21: Exploitation of Trusted Identifiers
An adversary guesses, obtains, or "rides" a trusted identifier (e.g. session ID, resource ID, cookie, etc.) to perform authorized actions under the guise of an authenticated user or service.
CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies
This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information.
CAPEC-39: Manipulating Opaque Client-based Data Tokens
In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.
CAPEC-59: Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
CAPEC-60: Reusing Session IDs (aka Session Replay)
This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
CAPEC-61: Session Fixation
The attacker induces a client to establish a session with the target software using a session identifier provided by the attacker. Once the user successfully authenticates to the target software, the attacker uses the (now privileged) session identifier in their own transactions. This attack leverages the fact that the target software either relies on client-generated session identifiers or maintains the same session identifiers after privilege elevation.