Total
301 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-30943 | 1 Apple | 4 Ipados, Iphone Os, Macos and 1 more | 2023-11-07 | 4.3 Medium |
| An issue in the handling of group membership was resolved with improved logic. This issue is fixed in iOS 15.2 and iPadOS 15.2, watchOS 8.3, macOS Monterey 12.1. A malicious user may be able to leave a messages group but continue to receive messages in that group. | ||||
| CVE-2021-25985 | 1 Darwin | 1 Factor | 2023-11-07 | 9.8 Critical |
| In Factor (App Framework & Headless CMS) v1.0.4 to v1.8.30, improperly invalidate a user’s session even after the user logs out of the application. In addition, user sessions are stored in the browser’s local storage, which by default does not have an expiration time. This makes it possible for an attacker to steal and reuse the cookies using techniques such as XSS attacks, followed by a local account takeover. | ||||
| CVE-2021-21032 | 1 Magento | 1 Magento | 2023-11-07 | N/A |
| Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation of this issue could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation. | ||||
| CVE-2021-21031 | 1 Magento | 1 Magento | 2023-11-07 | N/A |
| Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation. | ||||
| CVE-2021-1501 | 1 Cisco | 2 Adaptive Security Appliance Software, Firepower Threat Defense | 2023-11-07 | 7.5 High |
| A vulnerability in the SIP inspection engine of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a crash and reload of an affected device, resulting in a denial of service (DoS) condition.The vulnerability is due to a crash that occurs during a hash lookup for a SIP pinhole connection. An attacker could exploit this vulnerability by sending crafted SIP traffic through an affected device. A successful exploit could allow the attacker to cause a crash and reload of the affected device. | ||||
| CVE-2020-8234 | 1 Ui | 12 Edgemax Firmware, Ep-s16, Es-12f and 9 more | 2023-11-07 | 9.8 Critical |
| A vulnerability exists in The EdgeMax EdgeSwitch firmware <v1.9.1 where the EdgeSwitch legacy web interface SIDSSL cookie for admin can be guessed, enabling the attacker to obtain high privileges and get a root shell by a Command injection. | ||||
| CVE-2020-25374 | 1 Cyberark | 1 Privileged Session Manager | 2023-11-07 | 2.6 Low |
| CyberArk Privileged Session Manager (PSM) 10.9.0.15 allows attackers to discover internal pathnames by reading an error popup message after two hours of idle time. | ||||
| CVE-2020-1762 | 2 Kiali, Redhat | 2 Kiali, Openshift Service Mesh | 2023-11-07 | 8.6 High |
| An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration. | ||||
| CVE-2020-1724 | 1 Redhat | 3 Keycloak, Openshift Application Runtimes, Single Sign-on | 2023-11-07 | 4.3 Medium |
| A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section. | ||||
| CVE-2020-12690 | 1 Openstack | 1 Keystone | 2023-11-07 | 8.8 High |
| An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access. | ||||
| CVE-2020-10709 | 1 Redhat | 1 Ansible Tower | 2023-11-07 | 7.1 High |
| A security flaw was found in Ansible Tower when requesting an OAuth2 token with an OAuth2 application. Ansible Tower uses the token to provide authentication. This flaw allows an attacker to obtain a refresh token that does not expire. The original token granted to the user still has access to Ansible Tower, which allows any user that can gain access to the token to be fully authenticated to Ansible Tower. This flaw affects Ansible Tower versions before 3.6.4 and Ansible Tower versions before 3.5.6. | ||||
| CVE-2019-7215 | 1 Progress | 1 Sitefinity | 2023-11-07 | N/A |
| Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. It instead tries to overwrite the cookie in the browser, but it remains valid on the server side. This means the cookie can be reused to maintain access to the account, even if the account credentials and permissions are changed. | ||||
| CVE-2019-12421 | 1 Apache | 1 Nifi | 2023-11-07 | 8.8 High |
| When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi. | ||||
| CVE-2018-11386 | 2 Debian, Sensiolabs | 2 Debian Linux, Symfony | 2023-11-07 | N/A |
| An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources. | ||||
| CVE-2018-10990 | 1 Commscope | 2 Arris Tg1682g, Arris Tg1682g Firmware | 2023-11-07 | 8.0 High |
| On Arris Touchstone Telephony Gateway TG1682G 9.1.103J6 devices, a logout action does not immediately destroy all state on the device related to the validity of the "credential" cookie, which might make it easier for attackers to obtain access at a later time (e.g., "at least for a few minutes"). NOTE: there is no documentation stating that the web UI's logout feature was supposed to do anything beyond removing the cookie from one instance of a web browser; a client-side logout action is often not intended to address cases where a person has made a copy of a cookie outside of a browser. | ||||
| CVE-2017-3966 | 1 Mcafee | 1 Network Security Manager | 2023-11-07 | N/A |
| Exploitation of session variables, resource IDs and other trusted credentials vulnerability in the web interface in McAfee Network Security Management (NSM) before 8.2.7.42.2 allows remote attackers to exploit or harm a user's browser via reusing the exposed session token in the application URL. | ||||
| CVE-2023-46158 | 1 Ibm | 1 Websphere Application Server Liberty | 2023-11-01 | 9.8 Critical |
| IBM WebSphere Application Server Liberty 23.0.0.9 through 23.0.0.10 could provide weaker than expected security due to improper resource expiration handling. IBM X-Force ID: 268775. | ||||
| CVE-2023-45659 | 1 Engelsystem | 1 Engelsystem | 2023-10-30 | 2.8 Low |
| Engelsystem is a shift planning system for chaos events. If a users' password is compromised and an attacker gained access to a users' account, i.e., logged in and obtained a session, an attackers' session is not terminated if the users' account password is reset. This vulnerability has been fixed in the commit `dbb089315ff3d`. Users are advised to update their installations. There are no known workarounds for this vulnerability. | ||||
| CVE-2019-1003049 | 3 Jenkins, Oracle, Redhat | 3 Jenkins, Communications Cloud Native Core Automated Test Suite, Openshift Container Platform | 2023-10-25 | 8.1 High |
| Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches. | ||||
| CVE-2023-37504 | 1 Hcltech | 1 Hcl Compass | 2023-10-25 | 6.5 Medium |
| HCL Compass is vulnerable to failure to invalidate sessions. The application does not invalidate authenticated sessions when the log out functionality is called. If the session identifier can be discovered, it could be replayed to the application and used to impersonate the user. | ||||