Anschultzer

**Name of the Vulnerable Software and Affected Versions** Pow (Hex package) versions prior to 1.0.16 **Description** The use of `Plug.Session` in `Pow.Plug.Session` is susceptible to session fixation attacks if a persistent session store is used for `Plug.Session`, such as Redis or a database. This issue does not affect the cookie store, which is commonly used in Phoenix apps. **Recommendations** For versions prior to 1.0.16, call `Plug.Conn.configure session(conn, renew: true)` periodically and after privilege change to mitigate the issue. Consider writing a custom authorization plug where the `create/3` method returns the `conn` only after `Plug.Conn.configure session/2` has been called on it. Update to version 1.0.16 or later to resolve the issue.