Total
311 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-26288 | 2024-07-30 | N/A | 5.5 MEDIUM | ||
| IBM Aspera Orchestrator 4.0.1 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 248477. | |||||
| CVE-2022-32759 | 2024-07-26 | N/A | 5.3 MEDIUM | ||
| IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 uses insufficient session expiration which could allow an unauthorized user to obtain sensitive information. IBM X-Force ID: 228565. | |||||
| CVE-2024-41827 | 2024-07-24 | N/A | 7.4 HIGH | ||
| In JetBrains TeamCity before 2024.07 access tokens could continue working after deletion or expiration | |||||
| CVE-2024-29070 | 2024-07-24 | N/A | N/A | ||
| On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns "Authorization" as the front-end authentication credential. "Authorization" can still initiate requests and access data even after logout. Mitigation: all users should upgrade to 2.1.4 | |||||
| CVE-2022-48317 | 1 Checkmk | 1 Checkmk | 2024-07-23 | N/A | 9.8 CRITICAL |
| Expired sessions were not securely terminated in the RestAPI for Tribe29's Checkmk <= 2.1.0p10 and Checkmk <= 2.0.0p28 allowing an attacker to use expired session tokens when communicating with the RestAPI. | |||||
| CVE-2024-4680 | 1 Zenml | 1 Zenml | 2024-07-19 | N/A | 8.8 HIGH |
| A vulnerability in zenml-io/zenml version 0.56.3 allows attackers to reuse old session credentials or session IDs due to insufficient session expiration. Specifically, the session does not expire after a password change, enabling an attacker to maintain access to a compromised account without the victim's ability to revoke this access. This issue was observed in a self-hosted ZenML deployment via Docker, where after changing the password from one browser, the session remained active and usable in another browser without requiring re-authentication. | |||||
| CVE-2024-27782 | 2024-07-09 | N/A | 8.1 HIGH | ||
| Multiple insufficient session expiration vulnerabilities [CWE-613] in FortiAIOps version 2.0.0 may allow an attacker to re-use stolen old session tokens to perform unauthorized operations via crafted requests. | |||||
| CVE-2024-36041 | 1 Kde | 1 Plasma-workspace | 2024-07-09 | N/A | 7.8 HIGH |
| KSmserver in KDE Plasma Workspace (aka plasma-workspace) before 5.27.11.1 and 6.x before 6.0.5.1 allows connections via ICE based purely on the host, i.e., all local connections are accepted. This allows another user on the same machine to gain access to the session manager, e.g., use the session-restore feature to execute arbitrary code as the victim (on the next boot) via earlier use of the /tmp directory. | |||||
| CVE-2024-35050 | 2024-07-03 | N/A | 8.8 HIGH | ||
| An issue in SurveyKing v1.3.1 allows attackers to escalate privileges via re-using the session ID of a user that was deleted by an Admin. | |||||
| CVE-2024-35049 | 2024-07-03 | N/A | 9.1 CRITICAL | ||
| SurveyKing v1.3.1 was discovered to keep users' sessions active after logout. Related to an incomplete fix for CVE-2022-25590. | |||||
| CVE-2024-35048 | 2024-07-03 | N/A | 4.3 MEDIUM | ||
| An issue in SurveyKing v1.3.1 allows attackers to execute a session replay attack after a user changes their password. | |||||
| CVE-2022-3080 | 2 Fedoraproject, Isc | 2 Fedora, Bind | 2024-07-03 | N/A | 7.5 HIGH |
| By sending specific queries to the resolver, an attacker can cause named to crash. | |||||
| CVE-2024-5995 | 2024-06-17 | N/A | 8.8 HIGH | ||
| The notification emails sent by Soar Cloud HR Portal contain a link with a embedded session. The expiration of the session is not properly configured, remaining valid for more than 7 days and can be reused. | |||||
| CVE-2024-35206 | 2024-06-11 | N/A | 7.8 HIGH | ||
| A vulnerability has been identified in SINEC Traffic Analyzer (6GK8822-1BG01-0BA0) (All versions < V1.2). The affected application does not expire the session. This could allow an attacker to get unauthorized access. | |||||
| CVE-2024-35220 | 2024-05-22 | N/A | 7.4 HIGH | ||
| @fastify/session is a session plugin for fastify. Requires the @fastify/cookie plugin. When restoring the cookie from the session store, the `expires` field is overriden if the `maxAge` field was set. This means a cookie is never correctly detected as expired and thus expired sessions are not destroyed. This vulnerability has been patched 10.8.0. | |||||
| CVE-2024-0944 | 1 Totolink | 2 T8, T8 Firmware | 2024-05-17 | 2.6 LOW | 5.3 MEDIUM |
| A vulnerability was found in Totolink T8 4.1.5cu.833_20220905. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /cgi-bin/cstecgi.cgi. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252188. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-0943 | 1 Totolink | 2 N350rt, N350rt Firmware | 2024-05-17 | 2.6 LOW | 5.3 MEDIUM |
| A vulnerability was found in Totolink N350RT 9.3.5u.6255. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /cgi-bin/cstecgi.cgi. The manipulation leads to session expiration. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252187. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-0942 | 1 Totolink | 2 N200re-v5, N200re-v5 Firmware | 2024-05-17 | 2.6 LOW | 4.3 MEDIUM |
| A vulnerability was found in Totolink N200RE V5 9.3.5u.6255_B20211224. It has been classified as problematic. Affected is an unknown function of the file /cgi-bin/cstecgi.cgi. The manipulation leads to session expiration. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. VDB-252186 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-0350 | 1 Engineers Online Portal Project | 1 Engineers Online Portal | 2024-05-17 | 2.1 LOW | 6.5 MEDIUM |
| A vulnerability was found in SourceCodester Engineers Online Portal 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. VDB-250118 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-0260 | 1 Engineers Online Portal Project | 1 Engineers Online Portal | 2024-05-17 | 4.0 MEDIUM | 7.5 HIGH |
| A vulnerability, which was classified as problematic, was found in SourceCodester Engineers Online Portal 1.0. Affected is an unknown function of the file change_password_teacher.php of the component Password Change. The manipulation leads to session expiration. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249816. | |||||