Vulnerability Database

312,922

Total vulnerabilities in the database

CVE-2018-16495

In VOS user session identifier (authentication token) is issued to the browser prior to authentication but is not changed after the user successfully logs into the application. Failing to issue a new session ID following a successful login introduces the possibility for an attacker to set up a trap session on the device the victim is likely to login with.

Published: May 26, 2021
Updated: Nov 9, 2025
CVE: CVE-2018-16495
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-384

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
versa-networks / versa_operating_system	21.1.0	21.1.1
versa-networks / versa_operating_system	20.2.0	20.2.2
versa-networks / versa_operating_system	-	16.1r2s11

https://hackerone.com/reports/1168192

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo