Total
311 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-29667 | 1 Lanatmservice | 1 M3 Atm Monitoring System | 2020-12-14 | 10.0 HIGH | 9.8 CRITICAL |
| In Lan ATMService M3 ATM Monitoring System 6.1.0, a remote attacker able to use a default cookie value, such as PHPSESSID=LANIT-IMANAGER, can achieve control over the system because of Insufficient Session Expiration. | |||||
| CVE-2020-27422 | 1 Anuko | 1 Time Tracker | 2020-11-30 | 7.5 HIGH | 9.8 CRITICAL |
| In Anuko Time Tracker v1.19.23.5311, the password reset link emailed to the user doesn't expire once used, allowing an attacker to use the same link to takeover the account. | |||||
| CVE-2020-23136 | 1 Microweber | 1 Microweber | 2020-11-20 | 2.1 LOW | 5.5 MEDIUM |
| Microweber v1.1.18 is affected by no session expiry after log-out. | |||||
| CVE-2020-23140 | 1 Microweber | 1 Microweber | 2020-11-20 | 5.8 MEDIUM | 8.1 HIGH |
| Microweber 1.1.18 is affected by insufficient session expiration. When changing passwords, both sessions for when a user changes email and old sessions in any other browser or device, the session does not expire and remains active. | |||||
| CVE-2020-15950 | 1 Immuta | 1 Immuta | 2020-11-12 | 6.8 MEDIUM | 8.8 HIGH |
| Immuta v2.8.2 is affected by improper session management: user sessions are not revoked upon logout. | |||||
| CVE-2016-11014 | 1 Netgear | 2 Jnr1010, Jnr1010 Firmware | 2020-11-10 | 7.5 HIGH | 9.8 CRITICAL |
| NETGEAR JNR1010 devices before 1.0.0.32 have Incorrect Access Control because the ok value of the auth cookie is a special case. | |||||
| CVE-2020-27739 | 1 Citadel | 1 Webcit | 2020-11-04 | 7.5 HIGH | 9.8 CRITICAL |
| A Weak Session Management vulnerability in Citadel WebCit through 926 allows unauthenticated remote attackers to hijack recently logged-in users' sessions. NOTE: this was reported to the vendor in a publicly archived "Multiple Security Vulnerabilities in WebCit 926" thread. | |||||
| CVE-2020-24713 | 1 Getgophish | 1 Gophish | 2020-10-30 | 5.0 MEDIUM | 7.5 HIGH |
| Gophish through 0.10.1 does not invalidate the gophish cookie upon logout. | |||||
| CVE-2020-4395 | 1 Ibm | 1 Security Access Manager Appliance | 2020-10-26 | 5.5 MEDIUM | 5.4 MEDIUM |
| IBM Security Access Manager Appliance 9.0.7 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 179358. | |||||
| CVE-2020-4780 | 1 Ibm | 1 Curam Social Program Management | 2020-10-26 | 5.0 MEDIUM | 5.3 MEDIUM |
| OOTB build scripts does not set the secure attribute on session cookie which may impact IBM Curam Social Program Management 7.0.9 and 7.0,10. The purpose of the 'secure' attribute is to prevent cookies from being observed by unauthorized parties. IBM X-Force ID: 189158. | |||||
| CVE-2020-6363 | 1 Sap | 1 Commerce Cloud | 2020-10-19 | 4.9 MEDIUM | 4.6 MEDIUM |
| SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, exposes several web applications that maintain sessions with a user. These sessions are established after the user has authenticated with username/passphrase credentials. The user can change their own passphrase, but this does not invalidate active sessions that the user may have with SAP Commerce Cloud web applications, which gives an attacker the opportunity to reuse old session credentials, resulting in Insufficient Session Expiration. | |||||
| CVE-2019-19199 | 1 Reddoxx | 1 Maildepot | 2020-10-13 | 5.8 MEDIUM | 7.4 HIGH |
| REDDOXX MailDepot 2032 SP2 2.2.1242 has Insufficient Session Expiration because tokens are not invalidated upon a logout. | |||||
| CVE-2019-6584 | 1 Siemens | 2 Logo\!8, Logo\!8 Firmware | 2020-09-29 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability has been identified in SIEMENS LOGO!8 (6ED1052-xyyxx-0BA8 FS:01 to FS:06 / Firmware version V1.80.xx and V1.81.xx), SIEMENS LOGO!8 (6ED1052-xyy08-0BA0 FS:01 / Firmware version < V1.82.02). The integrated webserver does not invalidate the Session ID upon user logout. An attacker that successfully extracted a valid Session ID is able to use it even after the user logs out. The security vulnerability could be exploited by an attacker in a privileged network position who is able to read the communication between the affected device and the user or by an attacker who is able to obtain valid Session IDs through other means. The user must invoke a session to the affected device. At the time of advisory publication no public exploitation of this security vulnerability was known. | |||||
| CVE-2020-13307 | 1 Gitlab | 1 Gitlab | 2020-09-18 | 6.0 MEDIUM | 4.7 MEDIUM |
| A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was not revoking current user sessions when 2 factor authentication was activated allowing a malicious user to maintain their access. | |||||
| CVE-2020-13302 | 1 Gitlab | 1 Gitlab | 2020-09-17 | 6.5 MEDIUM | 7.2 HIGH |
| A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Under certain conditions GitLab was not properly revoking user sessions and allowed a malicious user to access a user account with an old password. | |||||
| CVE-2020-13305 | 1 Gitlab | 1 Gitlab | 2020-09-17 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was not invalidating project invitation link upon removing a user from a project. | |||||
| CVE-2020-5774 | 1 Tenable | 1 Nessus | 2020-08-28 | 3.6 LOW | 7.1 HIGH |
| Nessus versions 8.11.0 and earlier were found to maintain sessions longer than the permitted period in certain scenarios. The lack of proper session expiration could allow attackers with local access to login into an existing browser session. | |||||
| CVE-2019-5462 | 1 Gitlab | 1 Gitlab | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| A privilege escalation issue was discovered in GitLab CE/EE 9.0 and later when trigger tokens are not rotated once ownership of them has changed. | |||||
| CVE-2019-8149 | 1 Magento | 1 Magento | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can append arbitrary session id that will not be invalidated by subsequent authentication. | |||||
| CVE-2018-2451 | 1 Sap | 1 Hana Extended Application Services | 2020-08-24 | 6.0 MEDIUM | 6.6 MEDIUM |
| XS Command-Line Interface (CLI) user sessions with the SAP HANA Extended Application Services (XS), version 1, advanced server may have an unintentional prolonged period of validity. Consequently, a platform user could access controller resources via active CLI session even after corresponding authorizations have been revoked meanwhile by an administrator user. Similarly, an attacker who managed to gain access to the platform user's session might misuse the session token even after the session has been closed. | |||||