Total
290 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-13305 | 1 Gitlab | 1 Gitlab | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was not invalidating project invitation link upon removing a user from a project. | |||||
CVE-2020-13302 | 1 Gitlab | 1 Gitlab | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Under certain conditions GitLab was not properly revoking user sessions and allowed a malicious user to access a user account with an old password. | |||||
CVE-2020-13299 | 1 Gitlab | 1 Gitlab | 2023-12-10 | 5.5 MEDIUM | 8.1 HIGH |
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. The revocation feature was not revoking all session tokens and one could re-use it to obtain a valid session. | |||||
CVE-2020-15074 | 1 Openvpn | 1 Openvpn Access Server | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
OpenVPN Access Server older than version 2.8.4 and version 2.9.5 generates new user authentication tokens instead of reusing exiting tokens on reconnect making it possible to circumvent the initial token expiry timestamp. | |||||
CVE-2020-11795 | 1 Jetbrains | 1 Space | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
In JetBrains Space through 2020-04-22, the session timeout period was configured improperly. | |||||
CVE-2020-3188 | 1 Cisco | 25 Asa 5505, Asa 5505 Firmware, Asa 5510 and 22 more | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
A vulnerability in how Cisco Firepower Threat Defense (FTD) Software handles session timeouts for management connections could allow an unauthenticated, remote attacker to cause a buildup of remote management connections to an affected device, which could result in a denial of service (DoS) condition. The vulnerability exists because the default session timeout period for specific to-the-box remote management connections is too long. An attacker could exploit this vulnerability by sending a large and sustained number of crafted remote management connections to an affected device, resulting in a buildup of those connections over time. A successful exploit could allow the attacker to cause the remote management interface or Cisco Firepower Device Manager (FDM) to stop responding and cause other management functions to go offline, resulting in a DoS condition. The user traffic that is flowing through the device would not be affected, and the DoS condition would be isolated to remote management only. | |||||
CVE-2020-1776 | 1 Otrs | 1 Otrs | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28 and prior versions. OTRS: 7.0.18 and prior versions, 8.0.4. and prior versions. | |||||
CVE-2016-11058 | 1 Netgear | 1 Genie | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
The NETGEAR genie application before 2.4.34 for Android is affected by mishandling of hard-coded API keys and session IDs. | |||||
CVE-2019-12001 | 1 Hpe | 12 Msa 1040, Msa 1040 Firmware, Msa 1050 and 9 more | 2023-12-10 | 7.1 HIGH | 6.4 MEDIUM |
A remote session reuse vulnerability leading to access restriction bypass was discovered in HPE MSA 2040 SAN Storage; HPE MSA 1040 SAN Storage; HPE MSA 1050 SAN Storage; HPE MSA 2042 SAN Storage; HPE MSA 2050 SAN Storage; HPE MSA 2052 SAN Storage version(s): GL225P001 and earlier; GL225P001 and earlier; VE270R001-01 and earlier; GL225P001 and earlier; VL270R001-01 and earlier; VL270R001-01 and earlier. | |||||
CVE-2020-11688 | 1 Jetbrains | 1 Teamcity | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
In JetBrains TeamCity before 2019.2.1, the application state is kept alive after a user ends his session. | |||||
CVE-2020-6644 | 1 Fortinet | 1 Fortideceptor | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
An insufficient session expiration vulnerability in FortiDeceptor 3.0.0 and below allows an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID via other, hypothetical attacks. | |||||
CVE-2020-12690 | 1 Openstack | 1 Keystone | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access. | |||||
CVE-2020-9482 | 1 Apache | 1 Nifi Registry | 2023-12-10 | 6.4 MEDIUM | 6.5 MEDIUM |
If NiFi Registry 0.1.0 to 0.5.0 uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi Registry invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi Registry. | |||||
CVE-2017-18905 | 1 Mattermost | 1 Mattermost Server | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session invalidation was mishandled. | |||||
CVE-2020-8234 | 1 Ui | 12 Edgemax Firmware, Ep-s16, Es-12f and 9 more | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
A vulnerability exists in The EdgeMax EdgeSwitch firmware <v1.9.1 where the EdgeSwitch legacy web interface SIDSSL cookie for admin can be guessed, enabling the attacker to obtain high privileges and get a root shell by a Command injection. | |||||
CVE-2019-8803 | 1 Apple | 5 Ipados, Iphone Os, Mac Os X and 2 more | 2023-12-10 | 4.6 MEDIUM | 8.4 HIGH |
An authentication issue was addressed with improved state management. This issue is fixed in iOS 13.2 and iPadOS 13.2, macOS Catalina 10.15.1, tvOS 13.2, watchOS 6.1. A local attacker may be able to login to the account of a previously logged in user without valid credentials.. | |||||
CVE-2019-5462 | 1 Gitlab | 1 Gitlab | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
A privilege escalation issue was discovered in GitLab CE/EE 9.0 and later when trigger tokens are not rotated once ownership of them has changed. | |||||
CVE-2019-5647 | 1 Rapid7 | 1 Appspider | 2023-12-10 | 3.6 LOW | 7.1 HIGH |
The Chrome Plugin for Rapid7 AppSpider can incorrectly keep browser sessions active after recording a macro, even after a restart of the Chrome browser. This behavior could make future session hijacking attempts easier, since the user could believe a session was closed when it was not. This issue affects Rapid7 AppSpider version 3.8.213 and prior versions, and is fixed in version 3.8.215. | |||||
CVE-2019-10229 | 1 Mailstore | 2 Mailstore, Mailstore Server | 2023-12-10 | 6.0 MEDIUM | 8.8 HIGH |
An issue was discovered in MailStore Server (and Service Provider Edition) 9.x through 11.x before 11.2.2. When the directory service (for synchronizing and authenticating users) is set to Generic LDAP, an attacker is able to login as an existing user with an arbitrary password on the second login attempt. | |||||
CVE-2016-11014 | 1 Netgear | 2 Jnr1010, Jnr1010 Firmware | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
NETGEAR JNR1010 devices before 1.0.0.32 have Incorrect Access Control because the ok value of the auth cookie is a special case. |