CVE-2017-5141

MEDIUM Year: 2017
CVSS v3 Score
6.0
Medium
CVSS v2 Score
6.5
Medium
Weakness Type
CWE-384
View all →

Vulnerability Description

An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior. An attacker can establish a new user session, without invalidating any existing session identifier, which gives the opportunity to steal authenticated sessions (SESSION FIXATION).

Related Vulnerabilities

CVE-2014-10399

MEDIUM
CVSS:6.1(Medium)

The session.lua library in CGILua 5.1.x uses the same ID for each session, which allows remote attackers to hijack arbitrary sessions. NOTE: this vulnerability was SPLIT from CVE-2014-2875.

CWE-3842014

CVE-2014-10400

MEDIUM
CVSS:6.1(Medium)

The session.lua library in CGILua 5.0.x uses sequential session IDs, which makes it easier for remote attackers to predict the session ID and hijack arbitrary sessions. NOTE: this vulnerability was SP...

CWE-3842014

CVE-2017-10600

MEDIUM
CVSS:5.9(Medium)

ubuntu-image 1.0 before 2017-07-07, when invoked as non-root, creates files in the resulting image with the uid of the invoking user. When the resulting image is booted, a local attacker with the same...

CWE-3842017

CVE-2017-5831

MEDIUM
CVSS:5.9(Medium)

Session fixation vulnerability in the forgot password mechanism in Revive Adserver before 4.0.1, when setting a new password, allows remote attackers to hijack web sessions via the session ID.

CWE-3842017

CVE-2018-1000173

MEDIUM
CVSS:5.9(Medium)

A session fixaction vulnerability exists in Jenkins Google Login Plugin 1.3 and older in GoogleOAuth2SecurityRealm.java that allows unauthorized attackers to impersonate another user if they can contr...

CWE-3842018

CVE-2018-1000602

MEDIUM
CVSS:5.9(Medium)

A session fixation vulnerability exists in Jenkins SAML Plugin 1.0.6 and earlier in SamlSecurityRealm.java that allows unauthorized attackers to impersonate another users if they can control the pre-a...

CWE-3842018