CVE-2016-9125

CRITICAL Year: 2016
CVSS v3 Score
9.8
Critical
CVSS v2 Score
7.5
High
Weakness Type
CWE-384
View all →

Vulnerability Description

Revive Adserver before 3.2.3 suffers from session fixation, by allowing arbitrary session identifiers to be forced and, at the same time, by not invalidating the existing session upon a successful authentication. Under some circumstances, that could have been an opportunity for an attacker to steal an authenticated session.

Related Vulnerabilities

CVE-2015-1174

CRITICAL
CVSS:9.8(Critical)

Session fixation vulnerability in Unit4 Polska TETA Web (formerly TETA Galactica) 22.62.3.4 and earlier allows remote attackers to hijack web sessions via a session id.

CWE-3842015

CVE-2015-1820

CRITICAL
CVSS:9.8(Critical)

REST client for Ruby (aka rest-client) before 1.8.0 allows remote attackers to conduct session fixation attacks or obtain sensitive cookie information by leveraging passage of cookies set in a respons...

CWE-3842015

CVE-2016-10405

CRITICAL
CVSS:9.8(Critical)

Session fixation vulnerability in D-Link DIR-600L routers (rev. Ax) with firmware before FW1.17.B01 allows remote attackers to hijack web sessions via unspecified vectors.

CWE-3842016

CVE-2017-12868

CRITICAL
CVSS:9.8(Critical)

The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass...

CWE-3842017

CVE-2017-12873

CRITICAL
CVSS:9.8(Critical)

SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generat...

CWE-3842017

CVE-2017-12965

CRITICAL
CVSS:9.8(Critical)

Session fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID parameter.

CWE-3842017