Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-384 (会话固定) — Vulnerability Class 145

145 vulnerabilities classified as CWE-384 (会话固定). AI Chinese analysis included.

CWE-384, Session Fixation, is an authentication weakness where an application fails to invalidate existing session identifiers upon user login. This flaw allows attackers to predict or fix a victim’s session ID before authentication occurs. Typically, an attacker tricks a user into accessing a malicious link containing the attacker’s known session ID. When the victim logs in, the server associates the authenticated session with that pre-existing ID, granting the attacker immediate access to the victim’s account without needing credentials. To prevent this, developers must generate a new, random session identifier immediately after successful authentication. Additionally, implementing secure session management practices, such as regenerating IDs after privilege changes and using secure, HTTP-only cookies, ensures that stolen session tokens remain useless to attackers, effectively mitigating the risk of session hijacking.

MITRE CWE Description
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. Such a scenario is commonly observed when: A web application authenticates a user without first invalidating the existing session, thereby continuing to use the session already associated with the user. An attacker is able to force a known session identifier on a user so that, once the user authenticates, the attacker has access to the authenticated session. The application or container uses predictable session identifiers. In the generic exploit of session fixation vulnerabilities, an attacker creates a new session on a web application and records the associated session identifier. The attacker then causes the victim to associate, and possibly authenticate, against the server using that session identifier, giving the attacker access to the user's account through the active session.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (3)
Architecture and DesignInvalidate any existing session identifiers prior to authorizing a new user session.
Architecture and DesignFor platforms such as ASP that do not generate new values for sessionid cookies, utilize a secondary cookie. In this approach, set a secondary cookie on the user's browser to a random value and set a session variable to the same value. If the session variable and the cookie value ever don't match, invalidate the session, and force the user to log on again.
OperationUse an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
Effectiveness: Moderate
Examples (2)
The following example shows a snippet of code from a J2EE web application where the application authenticates users with LoginContext.login() without first calling HttpSession.invalidate().
private void auth(LoginContext lc, HttpSession session) throws LoginException { ... lc.login(); ... }
Bad · Java
The following example shows a snippet of code from a J2EE web application where the application authenticates users with a direct post to the <code>j_security_check</code>, which typically does not invalidate the existing session before processing the login request.
<form method="POST" action="j_security_check"> <input type="text" name="j_username"> <input type="text" name="j_password"> </form>
Bad · HTML
CVE IDTitleCVSSSeverityPublished
CVE-2023-27490 Missing proper state, nonce and PKCE checks for OAuth authentication in next-auth — next-auth 8.1 High2023-03-09
CVE-2021-36394 Moodle 代码注入漏洞 — Moodle 9.8 -2023-03-06
CVE-2021-42761 Fortinet FortiWeb 授权问题漏洞 — FortiWeb 8.5 Critical2023-02-16
CVE-2022-24895 Symfony vulnerable to Session Fixation of CSRF tokens — symfony 6.3 Medium2023-02-03
CVE-2023-22479 KubePi vulnerable to session fixation attack — KubePi 7.5 High2023-01-10
CVE-2014-125048 kassi xingwall oauth.js session fixiation — xingwall 6.3 Medium2023-01-06
CVE-2022-4231 Tribal Systems Zenario CMS Remember Me session fixiation — Zenario CMS 4.2 Medium2022-11-30
CVE-2022-43398 Siemens Power Meter Sicam Q100 授权问题漏洞 — POWER METER SICAM Q100 7.5 High2022-11-08
CVE-2022-40293 Session fixation in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC. — PHP Point of Sale 8.1 -2022-10-31
CVE-2021-46279 Session Fixation and Insufficient Session Expiration — IAC-AST2500A 5.8 Medium2022-10-24
CVE-2022-40226 多款Siemens产品授权问题漏洞 — SICAM P850 7.5 High2022-10-11
CVE-2022-40630 Improper Session Management Vulnerability in Tacitine Firewall — Firewall 6.5 Medium2022-09-23
CVE-2022-3269 Session Fixation in ikus060/rdiffweb — ikus060/rdiffweb 8.8 -2022-09-23
CVE-2022-38054 Session Fixation — Apache Airflow 9.8 -2022-09-02
CVE-2022-2997 Session Fixation in snipe/snipe-it — snipe/snipe-it 7.6 -2022-08-25
CVE-2022-30605 WWBN AVideo 授权问题漏洞 — AVideo 8.8 -2022-08-22
CVE-2022-2820 Session Fixation in namelessmc/nameless — namelessmc/nameless 7.0 High2022-08-15
CVE-2022-33927 Dell Wyse Management Suite 授权问题漏洞 — Wyse Management Suite 5.4 Medium2022-08-10
CVE-2022-22681 Synology Photo Station 授权问题漏洞 — Photo Station 8.1 High2022-07-06
CVE-2022-1849 Session Fixation in filegator/filegator — filegator/filegator 6.3 -2022-05-24
CVE-2020-25152 B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus — SpaceCom 6.5 Medium2022-04-14
CVE-2022-24781 Malicious users can take over the session of other players — Geon 7.1 High2022-03-24
CVE-2022-24745 Guest session is shared between customers in shopware — platform 4.8 Medium2022-03-09
CVE-2021-41246 Session fixation in express-openid-connect — express-openid-connect 4.6 Medium2021-12-09
CVE-2021-41268 Cookie persistence in Symfony — symfony 6.5 Medium2021-11-24
CVE-2021-22927 Citrix Application Delivery Controller授权问题漏洞 — Citrix ADC, Citrix Gateway 8.1 -2021-08-05
CVE-2021-32710 Potential Session Hijacking in Shopware — platform 5.9 Medium2021-06-24
CVE-2010-1434 Joomla 授权问题漏洞 — Joomla 7.5 -2021-06-21
CVE-2021-32676 Session Fixation in Nextcloud Talk — security-advisories 6.5 Medium2021-06-16
CVE-2018-16495 Versa VOS 授权问题漏洞 — Versa VOS 8.8 -2021-05-26

Vulnerabilities classified as CWE-384 (会话固定) represent 145 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.