Total
290 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-12421 | 1 Apache | 1 Nifi | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi. | |||||
CVE-2019-8149 | 1 Magento | 1 Magento | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can append arbitrary session id that will not be invalidated by subsequent authentication. | |||||
CVE-2019-11106 | 1 Intel | 2 Converged Security Management Engine Firmware, Trusted Execution Engine Firmware | 2023-12-10 | 4.6 MEDIUM | 6.7 MEDIUM |
Insufficient session validation in the subsystem for Intel(R) CSME before versions 11.8.70, 12.0.45, 13.0.10 and 14.0.10; Intel(R) TXE before versions 3.1.70 and 4.0.20 may allow a privileged user to potentially enable escalation of privilege via local access. | |||||
CVE-2020-6197 | 1 Sap | 1 Enable Now | 2023-12-10 | 2.1 LOW | 3.3 LOW |
SAP Enable Now, before version 1908, does not invalidate session tokens in a timely manner. The Insufficient Session Expiration may allow attackers with local access, for instance, to still download the portables. | |||||
CVE-2020-1768 | 1 Otrs | 1 Otrs | 2023-12-10 | 5.5 MEDIUM | 5.4 MEDIUM |
The external frontend system uses numerous background calls to the backend. Each background request is treated as user activity so the SessionMaxIdleTime will not be reached. This issue affects: OTRS 7.0.x version 7.0.14 and prior versions. | |||||
CVE-2020-6178 | 1 Sap | 1 Enable Now | 2023-12-10 | 5.5 MEDIUM | 5.4 MEDIUM |
SAP Enable Now, before version 1911, sends the Session ID cookie value in URL. This might be stolen from the browser history or log files, leading to Information Disclosure. | |||||
CVE-2019-17375 | 1 Cpanel | 1 Cpanel | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
cPanel before 82.0.15 allows API token credentials to persist after an account has been renamed or terminated (SEC-517). | |||||
CVE-2018-21018 | 1 Joinmastodon | 1 Mastodon | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions. | |||||
CVE-2020-0621 | 1 Microsoft | 3 Windows 10, Windows Server 2016, Windows Server 2019 | 2023-12-10 | 2.1 LOW | 4.4 MEDIUM |
A security feature bypass vulnerability exists in Windows 10 when third party filters are called during a password update, aka 'Windows Security Feature Bypass Vulnerability'. | |||||
CVE-2014-2595 | 1 Barracuda | 1 Web Application Firewall | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string. | |||||
CVE-2019-9269 | 1 Google | 1 Android | 2023-12-10 | 4.4 MEDIUM | 7.3 HIGH |
In System Settings, there is a possible permissions bypass due to a cached Linux user ID. This could lead to a local permissions bypass with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-36899497 | |||||
CVE-2019-1003049 | 3 Jenkins, Oracle, Redhat | 3 Jenkins, Communications Cloud Native Core Automated Test Suite, Openshift Container Platform | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches. | |||||
CVE-2019-4072 | 1 Ibm | 2 Spectrum Control, Tivoli Storage Productivity Center | 2023-12-10 | 6.5 MEDIUM | 6.3 MEDIUM |
IBM Tivoli Storage Productivity Center (IBM Spectrum Control Standard Edition 5.2.1 through 5.2.17) allows users to remain idle within the application even when a user has logged out. Utilizing the application back button users can remain logged in as the current user for a short period of time, therefore users are presented with information for Spectrum Control Application. IBM X-Force ID: 157064. | |||||
CVE-2019-5531 | 1 Vmware | 3 Esxi, Vcenter Server, Vsphere Esxi | 2023-12-10 | 5.8 MEDIUM | 5.4 MEDIUM |
VMware vSphere ESXi (6.7 prior to ESXi670-201810101-SG, 6.5 prior to ESXi650-201811102-SG, and 6.0 prior to ESXi600-201807103-SG) and VMware vCenter Server (6.7 prior to 6.7 U1b, 6.5 prior to 6.5 U2b, and 6.0 prior to 6.0 U3j) contain an information disclosure vulnerability in clients arising from insufficient session expiration. An attacker with physical access or an ability to mimic a websocket connection to a user’s browser may be able to obtain control of a VM Console after the user has logged out or their session has timed out. | |||||
CVE-2019-5638 | 1 Rapid7 | 1 Nexpose | 2023-12-10 | 6.8 MEDIUM | 8.7 HIGH |
Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user account's current session is still valid after the password change, potentially allowing the attacker who originally compromised the credential to remain logged in and able to cause further damage. | |||||
CVE-2019-7215 | 1 Progress | 1 Sitefinity | 2023-12-10 | 6.4 MEDIUM | 6.5 MEDIUM |
Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. It instead tries to overwrite the cookie in the browser, but it remains valid on the server side. This means the cookie can be reused to maintain access to the account, even if the account credentials and permissions are changed. | |||||
CVE-2019-16133 | 1 Weaver | 1 Eteams Oa | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
An issue was discovered in eteams OA v4.0.34. Because the session is not strictly checked, the account names and passwords of all employees in the company can be obtained by an ordinary account. Specifically, the attacker sends a jsessionid value for URIs under app/profile/summary/. | |||||
CVE-2019-7280 | 1 Primasystems | 1 Flexair | 2023-12-10 | 4.0 MEDIUM | 8.8 HIGH |
Prima Systems FlexAir, Versions 2.3.38 and prior. The session-ID is of an insufficient length and can be exploited by brute force, which may allow a remote attacker to obtain a valid session and bypass authentication. | |||||
CVE-2019-6584 | 1 Siemens | 2 Logo\!8, Logo\!8 Firmware | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
A vulnerability has been identified in SIEMENS LOGO!8 (6ED1052-xyyxx-0BA8 FS:01 to FS:06 / Firmware version V1.80.xx and V1.81.xx), SIEMENS LOGO!8 (6ED1052-xyy08-0BA0 FS:01 / Firmware version < V1.82.02). The integrated webserver does not invalidate the Session ID upon user logout. An attacker that successfully extracted a valid Session ID is able to use it even after the user logs out. The security vulnerability could be exploited by an attacker in a privileged network position who is able to read the communication between the affected device and the user or by an attacker who is able to obtain valid Session IDs through other means. The user must invoke a session to the affected device. At the time of advisory publication no public exploitation of this security vulnerability was known. | |||||
CVE-2018-6634 | 3 Canonical, Microsoft, Parsecgaming | 3 Ubuntu Linux, Windows, Parsec | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
A vulnerability in Parsec Windows 142-0 and Parsec 'Linux Ubuntu 16.04 LTS Desktop' Build 142-1 allows unauthorized users to maintain access to an account. |