Total
301 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-18905 | 1 Mattermost | 1 Mattermost Server | 2020-06-25 | 5.3 Medium |
| An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session invalidation was mishandled. | ||||
| CVE-2020-10876 | 2 Mica, Oklok Project | 2 Fingerprint Bluetooth Padlock Fb50, Oklok | 2020-05-15 | 7.5 High |
| The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlock FB50 (2.3) does not correctly implement its timeout on the four-digit verification code that is required for resetting passwords, nor does it properly restrict excessive verification attempts. This allows an attacker to brute force the four-digit verification code in order to bypass email verification and change the password of a victim account. | ||||
| CVE-2020-9482 | 1 Apache | 1 Nifi Registry | 2020-05-05 | 6.5 Medium |
| If NiFi Registry 0.1.0 to 0.5.0 uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi Registry invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi Registry. | ||||
| CVE-2016-11058 | 1 Netgear | 1 Genie | 2020-05-05 | 7.5 High |
| The NETGEAR genie application before 2.4.34 for Android is affected by mishandling of hard-coded API keys and session IDs. | ||||
| CVE-2020-11795 | 1 Jetbrains | 1 Space | 2020-04-29 | 7.5 High |
| In JetBrains Space through 2020-04-22, the session timeout period was configured improperly. | ||||
| CVE-2020-8867 | 1 Opcfoundation | 1 Unified Architecture .net-standard | 2020-04-29 | 7.5 High |
| This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of OPC Foundation UA .NET Standard 1.04.358.30. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of sessions. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to create a denial-of-service condition against the application. Was ZDI-CAN-10295. | ||||
| CVE-2019-12001 | 1 Hpe | 12 Msa 1040, Msa 1040 Firmware, Msa 1050 and 9 more | 2020-04-28 | 6.4 Medium |
| A remote session reuse vulnerability leading to access restriction bypass was discovered in HPE MSA 2040 SAN Storage; HPE MSA 1040 SAN Storage; HPE MSA 1050 SAN Storage; HPE MSA 2042 SAN Storage; HPE MSA 2050 SAN Storage; HPE MSA 2052 SAN Storage version(s): GL225P001 and earlier; GL225P001 and earlier; VE270R001-01 and earlier; GL225P001 and earlier; VL270R001-01 and earlier; VL270R001-01 and earlier. | ||||
| CVE-2020-11688 | 1 Jetbrains | 1 Teamcity | 2020-04-27 | 7.5 High |
| In JetBrains TeamCity before 2019.2.1, the application state is kept alive after a user ends his session. | ||||
| CVE-2020-4253 | 1 Ibm | 1 Content Navigator | 2020-03-24 | 8.8 High |
| IBM Content Navigator 3.0CD does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 175559. | ||||
| CVE-2020-6197 | 1 Sap | 1 Enable Now | 2020-03-12 | 3.3 Low |
| SAP Enable Now, before version 1908, does not invalidate session tokens in a timely manner. The Insufficient Session Expiration may allow attackers with local access, for instance, to still download the portables. | ||||
| CVE-2014-2595 | 1 Barracuda | 1 Web Application Firewall | 2020-02-20 | 9.8 Critical |
| Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string. | ||||
| CVE-2020-1768 | 1 Otrs | 1 Otrs | 2020-02-11 | 5.4 Medium |
| The external frontend system uses numerous background calls to the backend. Each background request is treated as user activity so the SessionMaxIdleTime will not be reached. This issue affects: OTRS 7.0.x version 7.0.14 and prior versions. | ||||
| CVE-2019-5531 | 1 Vmware | 3 Esxi, Vcenter Server, Vsphere Esxi | 2020-02-10 | 5.4 Medium |
| VMware vSphere ESXi (6.7 prior to ESXi670-201810101-SG, 6.5 prior to ESXi650-201811102-SG, and 6.0 prior to ESXi600-201807103-SG) and VMware vCenter Server (6.7 prior to 6.7 U1b, 6.5 prior to 6.5 U2b, and 6.0 prior to 6.0 U3j) contain an information disclosure vulnerability in clients arising from insufficient session expiration. An attacker with physical access or an ability to mimic a websocket connection to a user’s browser may be able to obtain control of a VM Console after the user has logged out or their session has timed out. | ||||
| CVE-2019-5647 | 1 Rapid7 | 1 Appspider | 2020-01-30 | 7.1 High |
| The Chrome Plugin for Rapid7 AppSpider can incorrectly keep browser sessions active after recording a macro, even after a restart of the Chrome browser. This behavior could make future session hijacking attempts easier, since the user could believe a session was closed when it was not. This issue affects Rapid7 AppSpider version 3.8.213 and prior versions, and is fixed in version 3.8.215. | ||||
| CVE-2020-0621 | 1 Microsoft | 3 Windows 10, Windows Server 2016, Windows Server 2019 | 2020-01-17 | 4.4 Medium |
| A security feature bypass vulnerability exists in Windows 10 when third party filters are called during a password update, aka 'Windows Security Feature Bypass Vulnerability'. | ||||
| CVE-2019-11106 | 1 Intel | 2 Converged Security Management Engine Firmware, Trusted Execution Engine Firmware | 2019-12-31 | 6.7 Medium |
| Insufficient session validation in the subsystem for Intel(R) CSME before versions 11.8.70, 12.0.45, 13.0.10 and 14.0.10; Intel(R) TXE before versions 3.1.70 and 4.0.20 may allow a privileged user to potentially enable escalation of privilege via local access. | ||||
| CVE-2019-8803 | 1 Apple | 5 Ipados, Iphone Os, Mac Os X and 2 more | 2019-12-26 | 8.4 High |
| An authentication issue was addressed with improved state management. This issue is fixed in iOS 13.2 and iPadOS 13.2, macOS Catalina 10.15.1, tvOS 13.2, watchOS 6.1. A local attacker may be able to login to the account of a previously logged in user without valid credentials.. | ||||
| CVE-2018-0152 | 1 Cisco | 1 Ios Xe | 2019-12-03 | 8.8 High |
| A vulnerability in the web-based user interface (web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to gain elevated privileges on an affected device. The vulnerability exists because the affected software does not reset the privilege level for each web UI session. An attacker who has valid credentials for an affected device could exploit this vulnerability by remotely accessing a VTY line to the device. A successful exploit could allow the attacker to access an affected device with the privileges of the user who previously logged in to the web UI. This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS XE Software, if the HTTP Server feature is enabled and authentication, authorization, and accounting (AAA) authorization is not configured for EXEC sessions. The default state of the HTTP Server feature is version-dependent. This vulnerability was introduced in Cisco IOS XE Software Release 16.1.1. Cisco Bug IDs: CSCvf71769. | ||||
| CVE-2019-17375 | 1 Cpanel | 1 Cpanel | 2019-10-11 | 8.8 High |
| cPanel before 82.0.15 allows API token credentials to persist after an account has been renamed or terminated (SEC-517). | ||||
| CVE-2019-3790 | 1 Pivotal Software | 1 Operations Manager | 2019-10-09 | N/A |
| The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources. | ||||