Total
301 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-31408 | 1 Vaadin | 2 Flow, Vaadin | 2021-05-04 | 7.1 High |
| Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out. | ||||
| CVE-2019-3867 | 1 Redhat | 1 Quay | 2021-03-25 | 4.1 Medium |
| A vulnerability was found in the Quay web application. Sessions in the Quay web application never expire. An attacker, able to gain access to a session, could use it to control or delete a user's container repository. Red Hat Quay 2 and 3 are vulnerable to this issue. | ||||
| CVE-2021-26921 | 1 Linuxfoundation | 1 Argo Continuous Delivery | 2021-03-22 | 6.5 Medium |
| In util/session/sessionmanager.go in Argo CD before 1.8.4, tokens continue to work even when the user account is disabled. | ||||
| CVE-2020-35358 | 1 Domainmod | 1 Domainmod | 2021-03-18 | 9.8 Critical |
| DomainMOD domainmod-v4.15.0 is affected by an insufficient session expiration vulnerability. On changing a password, both sessions using the changed password and old sessions in any other browser or device do not expire and remain active. Such flaws frequently give attackers unauthorized access to some system data or functionality. | ||||
| CVE-2021-3311 | 1 Octobercms | 1 October | 2021-03-15 | 9.8 Critical |
| An issue was discovered in October through build 471. It reactivates an old session ID (which had been invalid after a logout) once a new login occurs. NOTE: this violates the intended Auth/Manager.php authentication behavior but, admittedly, is only relevant if an old session ID is known to an attacker. | ||||
| CVE-2009-20001 | 1 Mantisbt | 1 Mantisbt | 2021-03-11 | 8.1 High |
| An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login as them. | ||||
| CVE-2020-4995 | 1 Ibm | 1 Security Identity Governance And Intelligence | 2021-02-11 | 5.3 Medium |
| IBM Security Identity Governance and Intelligence 5.2.6 does not invalidate session after logout which could allow a user to obtain sensitive information from another users' session. IBM X-Force ID: 192912. | ||||
| CVE-2020-6649 | 1 Fortinet | 1 Fortiisolator | 2021-02-10 | 9.8 Critical |
| An insufficient session expiration vulnerability in FortiNet's FortiIsolator version 2.0.1 and below may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID (via other, hypothetical attacks) | ||||
| CVE-2020-14247 | 1 Hcltechsw | 1 Onetest Performance | 2021-02-09 | 6.5 Medium |
| HCL OneTest Performance V9.5, V10.0, V10.1 contains an inadequate session timeout, which could allow an attacker time to guess and use a valid session ID. | ||||
| CVE-2021-3183 | 1 Files | 1 Fat Client | 2021-01-27 | 7.5 High |
| Files.com Fat Client 3.3.6 allows authentication bypass because the client continues to have access after a logout and a removal of a login profile. | ||||
| CVE-2020-15218 | 1 Combodo | 1 Itop | 2021-01-15 | 6.8 Medium |
| Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, admin pages are cached, so that their content is visible after deconnection by using the browser back button. This is fixed in versions 2.7.2 and 3.0.0. | ||||
| CVE-2020-15220 | 1 Combodo | 1 Itop | 2021-01-15 | 6.1 Medium |
| Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, two cookies are created for the same session, which leads to a possibility to steal user session. This is fixed in versions 2.7.2 and 3.0.0. | ||||
| CVE-2016-20007 | 1 Rest\/json Project | 1 Rest\/json | 2021-01-07 | 7.5 High |
| The REST/JSON project 7.x-1.x for Drupal allows session name guessing, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy. | ||||
| CVE-2020-29667 | 1 Lanatmservice | 1 M3 Atm Monitoring System | 2020-12-14 | 9.8 Critical |
| In Lan ATMService M3 ATM Monitoring System 6.1.0, a remote attacker able to use a default cookie value, such as PHPSESSID=LANIT-IMANAGER, can achieve control over the system because of Insufficient Session Expiration. | ||||
| CVE-2020-27422 | 1 Anuko | 1 Time Tracker | 2020-11-30 | 9.8 Critical |
| In Anuko Time Tracker v1.19.23.5311, the password reset link emailed to the user doesn't expire once used, allowing an attacker to use the same link to takeover the account. | ||||
| CVE-2020-23136 | 1 Microweber | 1 Microweber | 2020-11-20 | 5.5 Medium |
| Microweber v1.1.18 is affected by no session expiry after log-out. | ||||
| CVE-2020-23140 | 1 Microweber | 1 Microweber | 2020-11-20 | 8.1 High |
| Microweber 1.1.18 is affected by insufficient session expiration. When changing passwords, both sessions for when a user changes email and old sessions in any other browser or device, the session does not expire and remains active. | ||||
| CVE-2020-15950 | 1 Immuta | 1 Immuta | 2020-11-12 | 8.8 High |
| Immuta v2.8.2 is affected by improper session management: user sessions are not revoked upon logout. | ||||
| CVE-2016-11014 | 1 Netgear | 2 Jnr1010, Jnr1010 Firmware | 2020-11-10 | 9.8 Critical |
| NETGEAR JNR1010 devices before 1.0.0.32 have Incorrect Access Control because the ok value of the auth cookie is a special case. | ||||
| CVE-2020-27739 | 1 Citadel | 1 Webcit | 2020-11-04 | 9.8 Critical |
| A Weak Session Management vulnerability in Citadel WebCit through 926 allows unauthenticated remote attackers to hijack recently logged-in users' sessions. NOTE: this was reported to the vendor in a publicly archived "Multiple Security Vulnerabilities in WebCit 926" thread. | ||||