CWE-384

Session Fixation

Parent: CWE-610 - Externally Controlled Reference to a Resource in Another Sphere

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

405 vulnerabilities with CWE-384
CVE-2009-10007 CRITICAL
Catalyst::Plugin::Authentication versions before 0.10_027 for Perl is susceptible to session fixation attacks
CVSS 9.1
CVE-2008-3222
Drupal 5.x < 5.9 and 6.x < 6.3 - Session Fixation
CVE-2007-4188
Joomla! < 1.0.13 - Session Fixation
CVE-2001-1534
Apache HTTP Server 1.3.11-1.3.20 - Session Fixation via Predictable mod_usertrack Session IDs
CVE-1999-0428
OpenSSL < 0.9.2b - Session Fixation
Details
Vulnerabilities 405
Links
MITRE CWE Entry Search this CWE With Exploits