CVE-2021-33394

MEDIUM Year: 2021
CVSS v3 Score
5.4
Medium
CVSS v2 Score
5.5
Medium
Weakness Type
CWE-384
View all →

Vulnerability Description

Cubecart 6.4.2 allows Session Fixation. The application does not generate a new session cookie after the user is logged in. A malicious user is able to create a new session cookie value and inject it to a victim. After the victim logs in, the injected cookie becomes valid, giving the attacker access to the user's account through the active session.

Related Vulnerabilities

CVE-2014-125048

MEDIUM
CVSS:5.4(Medium)

A vulnerability, which was classified as critical, has been found in kassi xingwall. This issue affects some unknown processing of the file app/controllers/oauth.js. The manipulation leads to session ...

CWE-3842014

CVE-2017-2145

MEDIUM
CVSS:5.4(Medium)

Session fixation vulnerability in Cybozu Garoon 4.0.0 to 4.2.4 allows remote attackers to perform arbitrary operations via unspecified vectors.

CWE-3842017

CVE-2018-1000409

MEDIUM
CVSS:5.4(Medium)

A session fixation vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that prevented Jenkins from invalida...

CWE-3842018

CVE-2018-13337

MEDIUM
CVSS:5.4(Medium)

Session Fixation in the web application for TerraMaster TOS version 3.1.03 allows attackers to control users' session cookies via JavaScript.

CWE-3842018

CVE-2018-18380

MEDIUM
CVSS:5.4(Medium)

A Session Fixation issue was discovered in Bigtree before 4.2.24. admin.php accepts a user-provided PHP session ID instead of regenerating a new one after a user has logged in to the application. The ...

CWE-3842018

CVE-2019-10158

MEDIUM
CVSS:5.4(Medium)

A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration can result in incorrect session handling.

CWE-3842019