CVE-2020-1993

MEDIUM Year: 2020
CVSS v3 Score
5.4
Medium
CVSS v2 Score
5.5
Medium
Weakness Type
CWE-384
View all →

Vulnerability Description

The GlobalProtect Portal feature in PAN-OS does not set a new session identifier after a successful user login, which allows session fixation attacks, if an attacker is able to control a user's session ID. This issue affects: All PAN-OS 7.1 and 8.0 versions; PAN-OS 8.1 versions earlier than 8.1.14; PAN-OS 9.0 versions earlier than 9.0.8.

Related Vulnerabilities

CVE-2014-125048

MEDIUM
CVSS:5.4(Medium)

A vulnerability, which was classified as critical, has been found in kassi xingwall. This issue affects some unknown processing of the file app/controllers/oauth.js. The manipulation leads to session ...

CWE-3842014

CVE-2017-2145

MEDIUM
CVSS:5.4(Medium)

Session fixation vulnerability in Cybozu Garoon 4.0.0 to 4.2.4 allows remote attackers to perform arbitrary operations via unspecified vectors.

CWE-3842017

CVE-2018-1000409

MEDIUM
CVSS:5.4(Medium)

A session fixation vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that prevented Jenkins from invalida...

CWE-3842018

CVE-2018-13337

MEDIUM
CVSS:5.4(Medium)

Session Fixation in the web application for TerraMaster TOS version 3.1.03 allows attackers to control users' session cookies via JavaScript.

CWE-3842018

CVE-2018-18380

MEDIUM
CVSS:5.4(Medium)

A Session Fixation issue was discovered in Bigtree before 4.2.24. admin.php accepts a user-provided PHP session ID instead of regenerating a new one after a user has logged in to the application. The ...

CWE-3842018

CVE-2019-10158

MEDIUM
CVSS:5.4(Medium)

A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration can result in incorrect session handling.

CWE-3842019