CVE-2024-7341

HIGH Year: 2024
CVSS v3 Score
7.1
High
Weakness Type
CWE-384
View all →

Vulnerability Description

A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.

Related Vulnerabilities

CVE-2022-24781

HIGH
CVSS:7.1(High)

Geon is a board game based on solving questions about the Pythagorean Theorem. Malicious users can obtain the uuid from other users, spoof that uuid through the browser console and become co-owners of...

CWE-3842022

CVE-2024-30262

HIGH
CVSS:7.1(High)

Contao is an open source content management system. Prior to version 4.13.40, when a frontend member changes their password in the personal data or the password lost module, the corresponding remember...

CWE-3842024

CVE-2024-56529

HIGH
CVSS:7.1(High)

Mailcow through 2024-11b has a session fixation vulnerability in the web panel. It allows remote attackers to set a session identifier when HSTS is disabled on a victim's browser. After a user logs in...

CWE-3842024

CVE-2016-6043

HIGH
CVSS:7.0(High)

Tivoli Storage Manager Operations Center could allow a local user to take over a previously logged in user due to session expiration not being enforced.

CWE-3842016

CVE-2023-24477

MEDIUM
CVSS:7.0(High)

In certain conditions, depending on timing and the usage of the Chrome web browser, Guardian/CMC versions before 22.6.2 do not always completely invalidate the user session upon logout. Thus an authen...

CWE-3842023

CVE-2019-5406

HIGH
CVSS:7.2(High)

A remote session reuse vulnerability was discovered in HPE 3PAR StoreServ Management and Core Software Media version(s): prior to 3.5.0.1.

CWE-3842019