CWE-384 - Session Fixation

Description

Absence of valid session identifier annulation before performing new user's session allows atackers to steal authenticated sessions.
It usually takes place when:
1. A web application continues to use a previous user's session for a new one.
2. An attacker imposes a known session on the user. As soon as the user authenticates, the malicious user access the system.
3. An attacker creates a new session and records the associated session identifier. Authenticating, the user apply that session identifier that allows offender to gain privileges and get access.
The weakness is introduced during Architecture and Design, Implementation stages.

Latest vulnerabilities for CWE-384

Multiple vulnerabilities in Keycloak 2024-04-17
Medium Yes

Multiple vulnerabilities in IBM Cloud Pak for AIOps 2024-03-27
High Yes

Multiple vulnerabilities in IBM Cloud Pak for Multicloud Management 2024-02-29
High Yes

Multiple vulnerabilities in Apache DolphinScheduler 2024-02-20
High Yes

Multiple vulnerabilities in IBM Netcool Operations Insight 2023-12-11
High Yes

Multiple vulnerabilities in IBM Cloud Pak for Business Automation 2023-11-20
High Yes

Multiple vulnerabilities in Symfony 2023-11-13
Medium Yes

Multiple vulnerabilities in Sielco PolyEco FM Transmitter 2023-10-27
High No

Multiple vulnerabilities in Hikvision Access Control and Intercom Products 2023-10-13
Medium Yes

Multiple vulnerabilities in Siemens RUGGEDCOM APE1808 devices with Nozomi Guardian/CMC 2023-10-12
Medium No

References

Description of CWE-384 on Mitre website