Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-384 (会话固定) — Vulnerability Class 145

145 vulnerabilities classified as CWE-384 (会话固定). AI Chinese analysis included.

CWE-384, Session Fixation, is an authentication weakness where an application fails to invalidate existing session identifiers upon user login. This flaw allows attackers to predict or fix a victim’s session ID before authentication occurs. Typically, an attacker tricks a user into accessing a malicious link containing the attacker’s known session ID. When the victim logs in, the server associates the authenticated session with that pre-existing ID, granting the attacker immediate access to the victim’s account without needing credentials. To prevent this, developers must generate a new, random session identifier immediately after successful authentication. Additionally, implementing secure session management practices, such as regenerating IDs after privilege changes and using secure, HTTP-only cookies, ensures that stolen session tokens remain useless to attackers, effectively mitigating the risk of session hijacking.

MITRE CWE Description
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. Such a scenario is commonly observed when: A web application authenticates a user without first invalidating the existing session, thereby continuing to use the session already associated with the user. An attacker is able to force a known session identifier on a user so that, once the user authenticates, the attacker has access to the authenticated session. The application or container uses predictable session identifiers. In the generic exploit of session fixation vulnerabilities, an attacker creates a new session on a web application and records the associated session identifier. The attacker then causes the victim to associate, and possibly authenticate, against the server using that session identifier, giving the attacker access to the user's account through the active session.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (3)
Architecture and DesignInvalidate any existing session identifiers prior to authorizing a new user session.
Architecture and DesignFor platforms such as ASP that do not generate new values for sessionid cookies, utilize a secondary cookie. In this approach, set a secondary cookie on the user's browser to a random value and set a session variable to the same value. If the session variable and the cookie value ever don't match, invalidate the session, and force the user to log on again.
OperationUse an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
Effectiveness: Moderate
Examples (2)
The following example shows a snippet of code from a J2EE web application where the application authenticates users with LoginContext.login() without first calling HttpSession.invalidate().
private void auth(LoginContext lc, HttpSession session) throws LoginException { ... lc.login(); ... }
Bad · Java
The following example shows a snippet of code from a J2EE web application where the application authenticates users with a direct post to the <code>j_security_check</code>, which typically does not invalidate the existing session before processing the login request.
<form method="POST" action="j_security_check"> <input type="text" name="j_username"> <input type="text" name="j_password"> </form>
Bad · HTML
CVE IDTitleCVSSSeverityPublished
CVE-2025-46605 Dell PowerProtect Data Domain(Dell PowerProtect DD) 安全漏洞 — PowerProtect Data Domain 6.2 Medium2026-04-17
CVE-2026-31940 Session Fixation in Chamilo LMS — chamilo-lms 7.5 High2026-04-10
CVE-2026-33946 MCP Ruby SDK: Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay — ruby-sdk 8.2 -2026-03-27
CVE-2026-33757 OpenBao lacks user confirmation for OIDC direct callback mode — openbao 9.6 Critical2026-03-27
CVE-2026-25101 Session Fixation in Bludit — Bludit 9.1 -2026-03-27
CVE-2025-55266 HCL Aftermarket DPC is affected by Session Fixation — Aftermarket DPC 5.9 Medium2026-03-26
CVE-2026-33492 AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration — AVideo 7.3 High2026-03-23
CVE-2026-30224 OliveTin: Session Fixation - Logout Fails to Invalidate Server-Side Session — OliveTin 5.4 Medium2026-03-06
CVE-2026-24352 Session Fixation in PluXml CMS — PluXml CMS 8.2 -2026-02-27
CVE-2026-2177 SourceCodester Prison Management System Login session fixiation — Prison Management System 7.3 High2026-02-08
CVE-2026-23796 Session Fixation in Quick.Cart — Quick.Cart 8.1AIHighAI2026-02-05
CVE-2026-23624 GLPI is vulnerable to session stealing on externally authenticated user change — glpi 4.3 Medium2026-02-04
CVE-2025-7014 Session Hijacking in QRMenumPro's Menu Panel — Menu Panel 5.7 Medium2026-01-29
CVE-2025-7015 Session Hijacking in Akinsoft's QR Menu — QR Menu 5.7 Medium2026-01-29
CVE-2025-68139 In EVerest, by default, the EV is responsible for closing the connection if the module encounters an error during request processing — everest-core 4.3 Medium2026-01-21
CVE-2025-36115 Multiple vulnerabilities were addressed in IBM Sterling Connect:Express for UNIX. — Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 6.3 Medium2026-01-20
CVE-2026-22082 Insecure Session ID Management Vulnerability in Tenda Wireless Routers — 300Mbps Wireless Router F3 and N300 Easy Setup Router 7.4 -2026-01-09
CVE-2020-36913 All-Dynamics Software enlogic:show 2.0.2 Session Fixation Authentication Bypass — enlogic:show Digital Signage System 5.3 Medium2026-01-06
CVE-2023-53776 Screen SFT DAB 1.9.3 Authentication Bypass via Session Management Weakness — Screen SFT DAB Series - Compact Radio DAB Transmitter 9.8AICriticalAI2025-12-10
CVE-2023-53775 Screen SFT DAB 1.9.3 Authentication Bypass via Session Management Weakness — Screen SFT DAB Series - Compact Radio DAB Transmitter 9.1AICriticalAI2025-12-10
CVE-2023-53741 Screen SFT DAB 1.9.3 Authentication Bypass via IP Session Management — Screen SFT DAB Series - Compact Radio DAB Transmitter 7.5AIHighAI2025-12-10
CVE-2025-64100 CKAN Vulnerable to Session Cookie Fixation — ckan 6.1 Medium2025-10-29
CVE-2025-12390 Org.keycloak.protocol.oidc.endpoints.logoutendpoint: offline session takeover due to reused authentication session id — keycloak 6.0 Medium2025-10-28
CVE-2025-10228 Session Hijacking in Rolantis Information Technologies' Agentis — Agentis 8.8 High2025-10-14
CVE-2025-59841 FlagForgeCTF's Improper Session Handling Allows Access After Logout — flagForge 9.8 Critical2025-09-25
CVE-2025-4644 User Session Fixation after Account Removal in PayloadCMS — Payload 8.8 -2025-08-29
CVE-2025-55668 Apache Tomcat: session fixation via rewrite valve — Apache Tomcat 9.8 -2025-08-13
CVE-2025-8517 givanz Vvveb session fixiation — Vvveb 6.3 Medium2025-08-04
CVE-2025-53102 Discourse's WebAuthn challenge isn't cleared from user session after authentication — discourse 8.2AIHighAI2025-07-29
CVE-2025-0253 HCL IEM is affected by a cookie attribute not set vulnerability — IEM 2.0 Low2025-07-25

Vulnerabilities classified as CWE-384 (会话固定) represent 145 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.