Total
311 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-22389 | 2024-02-14 | N/A | 7.2 HIGH | ||
| When BIG-IP is deployed in high availability (HA) and an iControl REST API token is updated, the change does not sync to the peer device. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | |||||
| CVE-2022-34624 | 1 Mealie | 1 Mealie | 2024-02-14 | N/A | 5.9 MEDIUM |
| Mealie1.0.0beta3 does not terminate download tokens after a user logs out, allowing attackers to perform a man-in-the-middle attack via a crafted GET request. | |||||
| CVE-2023-50936 | 1 Ibm | 1 Powersc | 2024-02-02 | N/A | 8.8 HIGH |
| IBM PowerSC 1.3, 2.0, and 2.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 275116. | |||||
| CVE-2019-2386 | 1 Mongodb | 1 Mongodb | 2024-01-23 | 6.0 MEDIUM | 7.1 HIGH |
| After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22. Workaround: After deleting one or more users, restart any nodes which may have had active user authorization sessions. Refrain from creating user accounts with the same name as previously deleted accounts. | |||||
| CVE-2023-51772 | 1 Oneidentity | 1 Password Manager | 2024-01-03 | N/A | 8.8 HIGH |
| One Identity Password Manager before 5.13.1 allows Kiosk Escape. This product enables users to reset their Active Directory passwords on the login screen of a Windows client. It launches a Chromium based browser in Kiosk mode to provide the reset functionality. The escape sequence is: wait for a session timeout, click on the Help icon, observe that there is a browser window for the One Identity website, navigate to any website that offers file upload, navigate to cmd.exe from the file explorer window, and launch cmd.exe as NT AUTHORITY\SYSTEM. | |||||
| CVE-2023-49935 | 1 Schedmd | 1 Slurm | 2024-01-03 | N/A | 8.8 HIGH |
| An issue was discovered in SchedMD Slurm 23.02.x and 23.11.x. There is Incorrect Access Control because of a slurmd Message Integrity Bypass. An attacker can reuse root-level authentication tokens during interaction with the slurmd process. This bypasses the RPC message hashes that protect against undesired MUNGE credential reuse. The fixed versions are 23.02.7 and 23.11.1. | |||||
| CVE-2021-3144 | 3 Debian, Fedoraproject, Saltstack | 3 Debian Linux, Fedora, Salt | 2023-12-21 | 7.5 HIGH | 9.1 CRITICAL |
| In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.) | |||||
| CVE-2023-49091 | 1 Cosmos-cloud | 1 Cosmos Server | 2023-12-08 | N/A | 9.8 CRITICAL |
| Cosmos provides users the ability self-host a home server by acting as a secure gateway to your application, as well as a server manager. Cosmos-server is vulnerable due to to the authorization header used for user login remaining valid and not expiring after log out. This vulnerability allows an attacker to use the token to gain unauthorized access to the application/system even after the user has logged out. This issue has been patched in version 0.13.0. | |||||
| CVE-2023-46326 | 1 Zstack | 1 Zstack | 2023-12-06 | N/A | 8.8 HIGH |
| ZStack Cloud version 3.10.38 and before allows unauthenticated API access to the list of active job UUIDs and the session ID for each of these. This leads to privilege escalation. | |||||
| CVE-2023-47628 | 1 Datahub Project | 1 Datahub | 2023-11-21 | N/A | 4.8 MEDIUM |
| DataHub is an open-source metadata platform. DataHub Frontend's sessions are configured using Play Framework's default settings for stateless session which do not set an expiration time for a cookie. Due to this, if a session cookie were ever leaked, it would be valid forever. DataHub uses a stateless session cookie that is not invalidated on logout, it is just removed from the browser forcing the user to login again. However, if an attacker extracted a cookie from an authenticated user it would continue to be valid as there is no validation on a time window the session token is valid for due to a combination of the usage of LegacyCookiesModule from Play Framework and using default settings which do not set an expiration time. All DataHub instances prior to the patch that have removed the datahub user, but not the default policies applying to that user are affected. Users are advised to update to version 0.12.1 which addresses the issue. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-5865 | 1 Phpmyfaq | 1 Phpmyfaq | 2023-11-09 | N/A | 9.8 CRITICAL |
| Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2. | |||||
| CVE-2023-39695 | 1 Elenos | 2 Etg150, Etg150 Firmware | 2023-11-09 | N/A | 5.3 MEDIUM |
| Insufficient session expiration in Elenos ETG150 FM Transmitter v3.12 allows attackers to arbitrarily change transmitter configuration and data after logging out. | |||||
| CVE-2023-5889 | 1 Pkp | 1 Pkp Web Application Library | 2023-11-09 | N/A | 8.2 HIGH |
| Insufficient Session Expiration in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||||
| CVE-2023-5838 | 1 Linkstack | 1 Linkstack | 2023-11-08 | N/A | 9.8 CRITICAL |
| Insufficient Session Expiration in GitHub repository linkstackorg/linkstack prior to v4.2.9. | |||||
| CVE-2023-33303 | 1 Fortinet | 1 Fortiedr | 2023-11-07 | N/A | 8.1 HIGH |
| A insufficient session expiration in Fortinet FortiEDR version 5.0.0 through 5.0.1 allows attacker to execute unauthorized code or commands via api request | |||||
| CVE-2023-28001 | 1 Fortinet | 1 Fortios | 2023-11-07 | N/A | 9.8 CRITICAL |
| An insufficient session expiration in Fortinet FortiOS 7.0.0 - 7.0.12 and 7.2.0 - 7.2.4 allows an attacker to execute unauthorized code or commands via reusing the session of a deleted user in the REST API. | |||||
| CVE-2023-23929 | 1 Vantage6 | 1 Vantage6 | 2023-11-07 | N/A | 8.8 HIGH |
| vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Currently, the refresh token is valid indefinitely. The refresh token should get a validity of 24-48 hours. A fix was released in version 3.8.0. | |||||
| CVE-2023-22771 | 1 Arubanetworks | 24 7010, 7030, 7205 and 21 more | 2023-11-07 | N/A | 2.4 LOW |
| An insufficient session expiration vulnerability exists in the ArubaOS command line interface. Successful exploitation of this vulnerability allows an attacker to keep a session running on an affected device after the removal of the impacted account | |||||
| CVE-2023-22732 | 1 Shopware | 1 Shopware | 2023-11-07 | N/A | 9.8 CRITICAL |
| Shopware is an open source commerce platform based on Symfony Framework and Vue js. The Administration session expiration was set to one week, when an attacker has stolen the session cookie they could use it for a long period of time. In version 6.4.18.1 an automatic logout into the Administration session has been added. As a result the user will be logged out when they are inactive. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2023-22591 | 1 Ibm | 2 Robotic Process Automation, Robotic Process Automation As A Service | 2023-11-07 | N/A | 3.2 LOW |
| IBM Robotic Process Automation 21.0.1 through 21.0.7 and 23.0.0 through 23.0.1 could allow a user with physical access to the system due to session tokens for not being invalidated after a password reset. IBM X-Force ID: 243710. | |||||