Total
301 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-36179 | 1 Fusiondirectory | 1 Fusiondirectory | 2023-07-10 | 9.8 Critical |
| Fusiondirectory 1.3 suffers from Improper Session Handling. | ||||
| CVE-2023-35857 | 1 Siren | 1 Investigate | 2023-06-27 | 9.8 Critical |
| In Siren Investigate before 13.2.2, session keys remain active even after logging out. | ||||
| CVE-2023-2788 | 1 Mattermost | 1 Mattermost | 2023-06-26 | 6.5 Medium |
| Mattermost fails to check if an admin user account active after an oauth2 flow is started, allowing an attacker with admin privileges to retain persistent access to Mattermost by obtaining an oauth2 access token while the attacker's account is deactivated. | ||||
| CVE-2023-0041 | 2 Ibm, Linux | 2 Security Guardium, Linux Kernel | 2023-06-09 | 8.8 High |
| IBM Security Guardium 11.5 could allow a user to take over another user's session due to insufficient session expiration. IBM X-Force ID: 243657. | ||||
| CVE-2023-32318 | 1 Nextcloud | 1 Nextcloud Server | 2023-06-02 | 6.7 Medium |
| Nextcloud server provides a home for data. A regression in the session handling between Nextcloud Server and the Nextcloud Text app prevented a correct destruction of the session on logout if cookies were not cleared manually. After successfully authenticating with any other account the previous session would be continued and the attacker would be authenticated as the previously logged in user. It is recommended that the Nextcloud Server is upgraded to 25.0.6 or 26.0.1. | ||||
| CVE-2023-31065 | 1 Apache | 1 Inlong | 2023-05-27 | 9.1 Critical |
| Insufficient Session Expiration vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0. An old session can be used by an attacker even after the user has been deleted or the password has been changed. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7836 https://github.com/apache/inlong/pull/7836 , https://github.com/apache/inlong/pull/7884 https://github.com/apache/inlong/pull/7884 to solve it. | ||||
| CVE-2023-31139 | 1 Dhis2 | 1 Dhis 2 | 2023-05-16 | 7.5 High |
| DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.37 branch and prior to versions 2.37.9.1, 2.38.3.1, and 2.39.1.2, Personal Access Tokens (PATs) generate unrestricted session cookies. This may lead to a bypass of other access restrictions (for example, based on allowed IP addresses or HTTP methods). DHIS2 implementers should upgrade to a supported version of DHIS2: 2.37.9.1, 2.38.3.1, or 2.39.1.2. Implementers can work around this issue by adding extra access control validations on a reverse proxy. | ||||
| CVE-2023-31140 | 1 Openproject | 1 Openproject | 2023-05-15 | 6.5 Medium |
| OpenProject is open source project management software. Starting with version 7.4.0 and prior to version 12.5.4, when a user registers and confirms their first two-factor authentication (2FA) device for an account, existing logged in sessions for that user account are not terminated. Likewise, if an administrators creates a mobile phone 2FA device on behalf of a user, their existing sessions are not terminated. The issue has been resolved in OpenProject version 12.5.4 by actively terminating sessions of user accounts having registered and confirmed a 2FA device. As a workaround, users who register the first 2FA device on their account can manually log out to terminate all other active sessions. This is the default behavior of OpenProject but might be disabled through a configuration option. Double check that this option is not overridden if one plans to employ the workaround. | ||||
| CVE-2020-4914 | 1 Ibm | 1 Cloud Pak System | 2023-05-11 | 5.5 Medium |
| IBM Cloud Pak System Suite 2.3.3.0 through 2.3.3.5 does not invalidate session after logout which could allow a local user to impersonate another user on the system. IBM X-Force ID: 191290. | ||||
| CVE-2022-38707 | 1 Ibm | 1 Cognos Command Center | 2023-05-11 | 5.5 Medium |
| IBM Cognos Command Center 10.2.4.1 could allow a local attacker to obtain sensitive information due to insufficient session expiration. IBM X-Force ID: 234179. | ||||
| CVE-2023-30403 | 1 Aigital | 2 Wireless-n Repeater Mini Router, Wireless-n Repeater Mini Router Firmware | 2023-05-10 | 7.5 High |
| An issue in the time-based authentication mechanism of Aigital Aigital Wireless-N Repeater Mini_Router v0.131229 allows attackers to bypass login by connecting to the web app after a successful attempt by a legitimate user. | ||||
| CVE-2023-28003 | 1 Schneider-electric | 1 Ecostruxure Power Monitoring Expert | 2023-05-01 | 8.8 High |
| A CWE-613: Insufficient Session Expiration vulnerability exists that could allow an attacker to maintain unauthorized access over a hijacked session in PME after the legitimate user has signed out of their account. | ||||
| CVE-2022-37186 | 1 Lemonldap-ng | 1 Lemonldap\ | 2023-04-26 | 5.9 Medium |
| In LemonLDAP::NG before 2.0.15. some sessions are not deleted when they are supposed to be deleted according to the timeoutActivity setting. This can occur when there are at least two servers, and a session is manually removed before the time at which it would have been removed automatically. | ||||
| CVE-2023-1788 | 1 Firefly-iii | 1 Firefly Iii | 2023-04-12 | 9.8 Critical |
| Insufficient Session Expiration in GitHub repository firefly-iii/firefly-iii prior to 6. | ||||
| CVE-2023-20903 | 1 Cloudfoundry | 1 User Account And Authentication | 2023-04-06 | 4.3 Medium |
| This disclosure regards a vulnerability related to UAA refresh tokens and external identity providers.Assuming that an external identity provider is linked to the UAA, a refresh token is issued to a client on behalf of a user from that identity provider, the administrator of the UAA deactivates the identity provider from the UAA. It is expected that the UAA would reject a refresh token during a refresh token grant, but it does not (hence the vulnerability). It will continue to issue access tokens to request presenting such refresh tokens, as if the identity provider was still active. As a result, clients with refresh tokens issued through the deactivated identity provider would still have access to Cloud Foundry resources until their refresh token expires (which defaults to 30 days). | ||||
| CVE-2023-1543 | 1 Answer | 1 Answer | 2023-03-23 | 8.8 High |
| Insufficient Session Expiration in GitHub repository answerdev/answer prior to 1.0.6. | ||||
| CVE-2023-27891 | 1 Rami | 1 Pretix | 2023-03-14 | 7.5 High |
| rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. The fixed versions are 4.15.1, 4.16.1, and 4.17.1. | ||||
| CVE-2022-48317 | 1 Tribe29 | 1 Checkmk | 2023-03-06 | 9.8 Critical |
| Expired sessions were not securely terminated in the RestAPI for Tribe29's Checkmk <= 2.1.0p10 and Checkmk <= 2.0.0p28 allowing an attacker to use expired session tokens when communicating with the RestAPI. | ||||
| CVE-2023-25562 | 1 Datahub Project | 1 Datahub | 2023-02-21 | 9.8 Critical |
| DataHub is an open-source metadata platform. In versions of DataHub prior to 0.8.45 Session cookies are only cleared on new sign-in events and not on logout events. Any authentication checks using the `AuthUtils.hasValidSessionCookie()` method could be bypassed by using a cookie from a logged out session, as a result any logged out session cookie may be accepted as valid and therefore lead to an authentication bypass to the system. Users are advised to upgrade. There are no known workarounds for this issue. This vulnerability was discovered and reported by the GitHub Security lab and is tracked as GHSL-2022-083. | ||||
| CVE-2017-12191 | 1 Redhat | 1 Cloudforms | 2023-02-12 | N/A |
| A flaw was found in the CloudForms account configuration when using VMware. By default, a shared account is used that has privileged access to VMRC (VMWare Remote Console) functions that may not be appropriate for users of CloudForms (and thus this account). An attacker could use this vulnerability to view and make changes to settings in the VMRC and virtual machines controlled by it that they should not have access to. | ||||