Total
301 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-24713 | 1 Getgophish | 1 Gophish | 2020-10-30 | 7.5 High |
| Gophish through 0.10.1 does not invalidate the gophish cookie upon logout. | ||||
| CVE-2020-4395 | 1 Ibm | 1 Security Access Manager Appliance | 2020-10-26 | 5.4 Medium |
| IBM Security Access Manager Appliance 9.0.7 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 179358. | ||||
| CVE-2020-4780 | 1 Ibm | 1 Curam Social Program Management | 2020-10-26 | 5.3 Medium |
| OOTB build scripts does not set the secure attribute on session cookie which may impact IBM Curam Social Program Management 7.0.9 and 7.0,10. The purpose of the 'secure' attribute is to prevent cookies from being observed by unauthorized parties. IBM X-Force ID: 189158. | ||||
| CVE-2020-6363 | 1 Sap | 1 Commerce Cloud | 2020-10-19 | 4.6 Medium |
| SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, exposes several web applications that maintain sessions with a user. These sessions are established after the user has authenticated with username/passphrase credentials. The user can change their own passphrase, but this does not invalidate active sessions that the user may have with SAP Commerce Cloud web applications, which gives an attacker the opportunity to reuse old session credentials, resulting in Insufficient Session Expiration. | ||||
| CVE-2019-19199 | 1 Reddoxx | 1 Maildepot | 2020-10-13 | 7.4 High |
| REDDOXX MailDepot 2032 SP2 2.2.1242 has Insufficient Session Expiration because tokens are not invalidated upon a logout. | ||||
| CVE-2019-6584 | 1 Siemens | 2 Logo\!8, Logo\!8 Firmware | 2020-09-29 | 8.8 High |
| A vulnerability has been identified in SIEMENS LOGO!8 (6ED1052-xyyxx-0BA8 FS:01 to FS:06 / Firmware version V1.80.xx and V1.81.xx), SIEMENS LOGO!8 (6ED1052-xyy08-0BA0 FS:01 / Firmware version < V1.82.02). The integrated webserver does not invalidate the Session ID upon user logout. An attacker that successfully extracted a valid Session ID is able to use it even after the user logs out. The security vulnerability could be exploited by an attacker in a privileged network position who is able to read the communication between the affected device and the user or by an attacker who is able to obtain valid Session IDs through other means. The user must invoke a session to the affected device. At the time of advisory publication no public exploitation of this security vulnerability was known. | ||||
| CVE-2020-13307 | 1 Gitlab | 1 Gitlab | 2020-09-18 | 4.7 Medium |
| A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was not revoking current user sessions when 2 factor authentication was activated allowing a malicious user to maintain their access. | ||||
| CVE-2020-13302 | 1 Gitlab | 1 Gitlab | 2020-09-17 | 7.2 High |
| A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Under certain conditions GitLab was not properly revoking user sessions and allowed a malicious user to access a user account with an old password. | ||||
| CVE-2020-13305 | 1 Gitlab | 1 Gitlab | 2020-09-17 | 4.3 Medium |
| A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was not invalidating project invitation link upon removing a user from a project. | ||||
| CVE-2020-5774 | 1 Tenable | 1 Nessus | 2020-08-28 | 7.1 High |
| Nessus versions 8.11.0 and earlier were found to maintain sessions longer than the permitted period in certain scenarios. The lack of proper session expiration could allow attackers with local access to login into an existing browser session. | ||||
| CVE-2019-5462 | 1 Gitlab | 1 Gitlab | 2020-08-24 | 8.8 High |
| A privilege escalation issue was discovered in GitLab CE/EE 9.0 and later when trigger tokens are not rotated once ownership of them has changed. | ||||
| CVE-2019-10229 | 1 Mailstore | 2 Mailstore, Mailstore Server | 2020-08-24 | 8.8 High |
| An issue was discovered in MailStore Server (and Service Provider Edition) 9.x through 11.x before 11.2.2. When the directory service (for synchronizing and authenticating users) is set to Generic LDAP, an attacker is able to login as an existing user with an arbitrary password on the second login attempt. | ||||
| CVE-2019-9269 | 1 Google | 1 Android | 2020-08-24 | 7.3 High |
| In System Settings, there is a possible permissions bypass due to a cached Linux user ID. This could lead to a local permissions bypass with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-36899497 | ||||
| CVE-2018-2451 | 1 Sap | 1 Hana Extended Application Services | 2020-08-24 | N/A |
| XS Command-Line Interface (CLI) user sessions with the SAP HANA Extended Application Services (XS), version 1, advanced server may have an unintentional prolonged period of validity. Consequently, a platform user could access controller resources via active CLI session even after corresponding authorizations have been revoked meanwhile by an administrator user. Similarly, an attacker who managed to gain access to the platform user's session might misuse the session token even after the session has been closed. | ||||
| CVE-2019-8149 | 1 Magento | 1 Magento | 2020-08-24 | 9.8 Critical |
| Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can append arbitrary session id that will not be invalidated by subsequent authentication. | ||||
| CVE-2020-17474 | 1 Zkteco | 3 Facedepot 7b, Facedepot 7b Firmware, Zkbiosecurity Server | 2020-08-21 | 9.8 Critical |
| A token-reuse vulnerability in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to create arbitrary new users, elevate users to administrators, delete users, and download user faces from the database. | ||||
| CVE-2020-17473 | 1 Zkteco | 3 Facedepot 7b, Facedepot 7b Firmware, Zkbiosecurity Server | 2020-08-21 | 5.9 Medium |
| Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server. | ||||
| CVE-2020-6292 | 1 Sap | 1 Disclosure Management | 2020-07-14 | 8.8 High |
| Logout mechanism in SAP Disclosure Management, version 10.1, does not invalidate one of the session cookies, leading to Insufficient Session Expiration. | ||||
| CVE-2020-6291 | 1 Sap | 1 Disclosure Management | 2020-07-14 | 8.8 High |
| SAP Disclosure Management, version 10.1, session mechanism does not have expiration data set therefore allows unlimited access after authenticating once, leading to Insufficient Session Expiration | ||||
| CVE-2020-6644 | 1 Fortinet | 1 Fortideceptor | 2020-06-29 | 8.1 High |
| An insufficient session expiration vulnerability in FortiDeceptor 3.0.0 and below allows an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID via other, hypothetical attacks. | ||||