Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-384 (会话固定) — Vulnerability Class 145

145 vulnerabilities classified as CWE-384 (会话固定). AI Chinese analysis included.

CWE-384, Session Fixation, is an authentication weakness where an application fails to invalidate existing session identifiers upon user login. This flaw allows attackers to predict or fix a victim’s session ID before authentication occurs. Typically, an attacker tricks a user into accessing a malicious link containing the attacker’s known session ID. When the victim logs in, the server associates the authenticated session with that pre-existing ID, granting the attacker immediate access to the victim’s account without needing credentials. To prevent this, developers must generate a new, random session identifier immediately after successful authentication. Additionally, implementing secure session management practices, such as regenerating IDs after privilege changes and using secure, HTTP-only cookies, ensures that stolen session tokens remain useless to attackers, effectively mitigating the risk of session hijacking.

MITRE CWE Description
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. Such a scenario is commonly observed when: A web application authenticates a user without first invalidating the existing session, thereby continuing to use the session already associated with the user. An attacker is able to force a known session identifier on a user so that, once the user authenticates, the attacker has access to the authenticated session. The application or container uses predictable session identifiers. In the generic exploit of session fixation vulnerabilities, an attacker creates a new session on a web application and records the associated session identifier. The attacker then causes the victim to associate, and possibly authenticate, against the server using that session identifier, giving the attacker access to the user's account through the active session.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (3)
Architecture and DesignInvalidate any existing session identifiers prior to authorizing a new user session.
Architecture and DesignFor platforms such as ASP that do not generate new values for sessionid cookies, utilize a secondary cookie. In this approach, set a secondary cookie on the user's browser to a random value and set a session variable to the same value. If the session variable and the cookie value ever don't match, invalidate the session, and force the user to log on again.
OperationUse an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
Effectiveness: Moderate
Examples (2)
The following example shows a snippet of code from a J2EE web application where the application authenticates users with LoginContext.login() without first calling HttpSession.invalidate().
private void auth(LoginContext lc, HttpSession session) throws LoginException { ... lc.login(); ... }
Bad · Java
The following example shows a snippet of code from a J2EE web application where the application authenticates users with a direct post to the <code>j_security_check</code>, which typically does not invalidate the existing session before processing the login request.
<form method="POST" action="j_security_check"> <input type="text" name="j_username"> <input type="text" name="j_password"> </form>
Bad · HTML
CVE IDTitleCVSSSeverityPublished
CVE-2025-0251 HCL IEM is affected by a concurrent login vulnerability — IEM 2.6 Low2025-07-25
CVE-2025-36117 IBM Db2 Mirror for i session fixation — Db2 Mirror for i 6.3 Medium2025-07-23
CVE-2025-52689 Weak Session ID Check in the OmniAccess Stellar Web Management Interface — OmniAccess Stellar Products 9.8 Critical2025-07-16
CVE-2025-53021 Moodle 授权问题漏洞 — Moodle 4.2 Medium2025-06-24
CVE-2024-13967 ession-Management Failure — EIBPORT V3 KNX 8.8 High2025-06-04
CVE-2024-49709 XSS in iKSORIS — iKSORIS 8.8AIHighAI2025-04-14
CVE-2025-0126 PAN-OS: Session Fixation Vulnerability in GlobalProtect SAML Login — Cloud NGFW 8.8AIHighAI2025-04-11
CVE-2025-29928 authentik's deletion of sessions did not revoke sessions when using database session storage — authentik 8.0 High2025-03-28
CVE-2025-26658 Broken Authentication in SAP Business One (Service Layer) — SAP Business One (Service Layer) 6.8 Medium2025-03-11
CVE-2025-1412 Session Persistence After User-to-Bot Conversion — Mattermost 3.1 Low2025-02-24
CVE-2024-49344 IBM OpenPages session fixation — OpenPages with Watson 4.3 Medium2025-02-20
CVE-2024-42207 HCL iAutomate is affected by a session fixation vulnerability — iAutomate 5.5 Medium2025-02-05
CVE-2024-42171 HCL MyXalytics is affected by insufficient session expiration — DRYiCE MyXalytics 6.4 Medium2025-01-11
CVE-2024-42170 HCL MyXalytics is affected by a session fixation vulnerability — DRYiCE MyXalytics 6.8 Medium2025-01-11
CVE-2024-13279 Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2024-043 — Two-factor Authentication (TFA) 7.1 -2025-01-09
CVE-2024-56733 Password Pusher Allows Session Token Interception Leading to Potential Hijacking — PasswordPusher 5.7 Medium2024-12-30
CVE-2024-28144 Broken Access Control — Scan2Net 9.8 -2024-12-12
CVE-2024-11317 PHP Session Fixation — ASPECT-Enterprise 10.0 Critical2024-12-05
CVE-2021-3740 Session Fixation in chatwoot/chatwoot — chatwoot/chatwoot 7.1AIHighAI2024-11-15
CVE-2023-50176 Fortinet FortiOS 授权问题漏洞 — FortiOS 7.1 High2024-11-12
CVE-2024-10318 NGINX OpenID Connect Vulnerability — NGINX OpenID Connect 5.4 Medium2024-11-06
CVE-2024-23590 Apache Kylin: Session fixation in web interface — Apache Kylin 9.8AICriticalAI2024-11-04
CVE-2024-48929 Umbraco CMS Has Incomplete Server Termination During Explicit Sign-Out — Umbraco-CMS 4.2 Medium2024-10-22
CVE-2024-10158 PHPGurukul Boat Booking System session_start session fixiation — Boat Booking System 4.3 Medium2024-10-19
CVE-2024-8643 Session Hijacking in Oceanic Software's ValeApp — ValeApp 8.8AIHighAI2024-09-27
CVE-2024-45368 AutomationDirect DirectLogic H2-DM1E Session Fixation — DirectLogic H2-DM1E 8.8 High2024-09-13
CVE-2024-42345 Siemens SINEMA Remote Connect Server 授权问题漏洞 — SINEMA Remote Connect Server 4.3 Medium2024-09-10
CVE-2024-7341 Wildfly-elytron: org.keycloak/keycloak-services: session fixation in elytron saml adapters 7.1 High2024-09-09
CVE-2023-38018 IBM Aspera Shares session fixation — Aspera Shares 6.3 Medium2024-08-09
CVE-2024-38513 Fiber Session Middleware Token Injection Vulnerability — fiber 10.0 Critical2024-07-01

Vulnerabilities classified as CWE-384 (会话固定) represent 145 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.