Total
301 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-39695 | 1 Elenos | 2 Etg150, Etg150 Firmware | 2023-11-09 | 5.3 Medium |
| Insufficient session expiration in Elenos ETG150 FM Transmitter v3.12 allows attackers to arbitrarily change transmitter configuration and data after logging out. | ||||
| CVE-2023-5889 | 1 Pkp | 1 Pkp Web Application Library | 2023-11-09 | 8.2 High |
| Insufficient Session Expiration in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | ||||
| CVE-2023-5838 | 1 Linkstack | 1 Linkstack | 2023-11-08 | 9.8 Critical |
| Insufficient Session Expiration in GitHub repository linkstackorg/linkstack prior to v4.2.9. | ||||
| CVE-2023-33303 | 1 Fortinet | 1 Fortiedr | 2023-11-07 | 8.1 High |
| A insufficient session expiration in Fortinet FortiEDR version 5.0.0 through 5.0.1 allows attacker to execute unauthorized code or commands via api request | ||||
| CVE-2023-28001 | 1 Fortinet | 1 Fortios | 2023-11-07 | 9.8 Critical |
| An insufficient session expiration in Fortinet FortiOS 7.0.0 - 7.0.12 and 7.2.0 - 7.2.4 allows an attacker to execute unauthorized code or commands via reusing the session of a deleted user in the REST API. | ||||
| CVE-2023-23929 | 1 Vantage6 | 1 Vantage6 | 2023-11-07 | 8.8 High |
| vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Currently, the refresh token is valid indefinitely. The refresh token should get a validity of 24-48 hours. A fix was released in version 3.8.0. | ||||
| CVE-2023-22771 | 1 Arubanetworks | 24 7010, 7030, 7205 and 21 more | 2023-11-07 | 2.4 Low |
| An insufficient session expiration vulnerability exists in the ArubaOS command line interface. Successful exploitation of this vulnerability allows an attacker to keep a session running on an affected device after the removal of the impacted account | ||||
| CVE-2023-22732 | 1 Shopware | 1 Shopware | 2023-11-07 | 9.8 Critical |
| Shopware is an open source commerce platform based on Symfony Framework and Vue js. The Administration session expiration was set to one week, when an attacker has stolen the session cookie they could use it for a long period of time. In version 6.4.18.1 an automatic logout into the Administration session has been added. As a result the user will be logged out when they are inactive. Users are advised to upgrade. There are no known workarounds for this issue. | ||||
| CVE-2023-22591 | 1 Ibm | 2 Robotic Process Automation, Robotic Process Automation As A Service | 2023-11-07 | 3.2 Low |
| IBM Robotic Process Automation 21.0.1 through 21.0.7 and 23.0.0 through 23.0.1 could allow a user with physical access to the system due to session tokens for not being invalidated after a password reset. IBM X-Force ID: 243710. | ||||
| CVE-2022-43844 | 2 Ibm, Redhat | 2 Robotic Process Automation For Cloud Pak, Openshift | 2023-11-07 | 8.8 High |
| IBM Robotic Process Automation for Cloud Pak 20.12 through 21.0.3 is vulnerable to broken access control. A user is not correctly redirected to the platform log out screen when logging out of IBM RPA for Cloud Pak. IBM X-Force ID: 239081. | ||||
| CVE-2022-41542 | 1 Devhubapp | 1 Devhub | 2023-11-07 | 5.4 Medium |
| devhub 0.102.0 was discovered to contain a broken session control. | ||||
| CVE-2022-40228 | 1 Ibm | 1 Datapower Gateway | 2023-11-07 | 5.4 Medium |
| IBM DataPower Gateway 10.0.3.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.9, 2018.4.1.0 through 2018.4.1.22, and 10.5.0.0 through 10.5.0.2 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235527. | ||||
| CVE-2022-3916 | 1 Redhat | 7 Enterprise Linux, Keycloak, Openshift Container Platform and 4 more | 2023-11-07 | 6.8 Medium |
| A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user. | ||||
| CVE-2022-34392 | 1 Dell | 1 Supportassist For Home Pcs | 2023-11-07 | 5.5 Medium |
| SupportAssist for Home PCs (versions 3.11.4 and prior) contain an insufficient session expiration Vulnerability. An authenticated non-admin user can be able to obtain the refresh token and that leads to reuse the access token and fetch sensitive information. | ||||
| CVE-2022-30699 | 2 Fedoraproject, Nlnetlabs | 2 Fedora, Unbound | 2023-11-07 | 6.5 Medium |
| NLnet Labs Unbound, up to and including version 1.16.1, is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a rogue domain name when the cached delegation information is about to expire. The rogue nameserver delays the response so that the cached delegation information is expired. Upon receiving the delayed answer containing the delegation information, Unbound overwrites the now expired entries. This action can be repeated when the delegation information is about to expire making the rogue delegation information ever-updating. From version 1.16.2 on, Unbound stores the start time for a query and uses that to decide if the cached delegation information can be overwritten. | ||||
| CVE-2022-30698 | 2 Fedoraproject, Nlnetlabs | 2 Fedora, Unbound | 2023-11-07 | 6.5 Medium |
| NLnet Labs Unbound, up to and including version 1.16.1 is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a subdomain of a rogue domain name. The rogue nameserver returns delegation information for the subdomain that updates Unbound's delegation cache. This action can be repeated before expiry of the delegation information by querying Unbound for a second level subdomain which the rogue nameserver provides new delegation information. Since Unbound is a child-centric resolver, the ever-updating child delegation information can keep a rogue domain name resolvable long after revocation. From version 1.16.2 on, Unbound checks the validity of parent delegation records before using cached delegation information. | ||||
| CVE-2022-22371 | 3 Ibm, Linux, Microsoft | 4 Aix, Sterling B2b Integrator, Linux Kernel and 1 more | 2023-11-07 | 6.5 Medium |
| IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 221195. | ||||
| CVE-2021-3844 | 1 Rapid7 | 1 Insightvm | 2023-11-07 | 5.4 Medium |
| Rapid7 InsightVM suffers from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user account's current session is still valid after the password change, potentially allowing the attacker who originally compromised the credential to remain logged in and able to cause further damage. This vulnerability is mitigated by the use of the Platform Login feature. This issue is related to CVE-2019-5638. | ||||
| CVE-2021-34739 | 1 Cisco | 418 Cbs250-16p-2g, Cbs250-16p-2g Firmware, Cbs250-16t-2g and 415 more | 2023-11-07 | 8.1 High |
| A vulnerability in the web-based management interface of multiple Cisco Small Business Series Switches could allow an unauthenticated, remote attacker to replay valid user session credentials and gain unauthorized access to the web-based management interface of an affected device. This vulnerability is due to insufficient expiration of session credentials. An attacker could exploit this vulnerability by conducting a man-in-the-middle attack against an affected device to intercept valid session credentials and then replaying the intercepted credentials toward the same device at a later time. A successful exploit could allow the attacker to access the web-based management interface with administrator privileges. | ||||
| CVE-2021-34428 | 4 Debian, Eclipse, Netapp and 1 more | 16 Debian Linux, Jetty, Active Iq Unified Manager and 13 more | 2023-11-07 | 3.5 Low |
| For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in. | ||||