Total
289 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-2306 | 1 Heroiclabs | 1 Nakama | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Old session tokens can be used to authenticate to the application and send authenticated requests. | |||||
CVE-2022-41672 | 1 Apache | 1 Airflow | 2023-12-10 | N/A | 8.1 HIGH |
In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API. | |||||
CVE-2022-41291 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2023-12-10 | N/A | 6.5 MEDIUM |
IBM InfoSphere Information Server 11.7 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 236699. | |||||
CVE-2021-46279 | 1 Lannerinc | 2 Iac-ast2500a, Iac-ast2500a Firmware | 2023-12-10 | N/A | 8.8 HIGH |
Session fixation and insufficient session expiration vulnerabilities allow an attacker to perfom session hijacking attacks against users. This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0. | |||||
CVE-2022-35728 | 1 F5 | 12 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 9 more | 2023-12-10 | N/A | 9.8 CRITICAL |
In BIG-IP Versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and all versions of 13.1.x, and BIG-IQ version 8.x before 8.2.0 and all versions of 7.x, an authenticated user's iControl REST token may remain valid for a limited time after logging out from the Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
CVE-2022-39234 | 1 Glpi-project | 1 Glpi | 2023-12-10 | N/A | 8.8 HIGH |
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Deleted/deactivated user could continue to use their account as long as its cookie is valid. This issue has been patched, please upgrade to version 10.0.4. There are currently no known workarounds. | |||||
CVE-2022-41542 | 1 Devhubapp | 1 Devhub | 2023-12-10 | N/A | 5.4 MEDIUM |
devhub 0.102.0 was discovered to contain a broken session control. | |||||
CVE-2022-31677 | 1 Vmware | 1 Pinniped | 2023-12-10 | N/A | 5.4 MEDIUM |
An Insufficient Session Expiration issue was discovered in the Pinniped Supervisor (before v0.19.0). A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially use their access token to continue their session beyond what proper use of their refresh token might allow. | |||||
CVE-2022-2713 | 1 Agentejo | 1 Cockpit | 2023-12-10 | N/A | 9.8 CRITICAL |
Insufficient Session Expiration in GitHub repository cockpit-hq/cockpit prior to 2.2.0. | |||||
CVE-2022-33137 | 1 Siemens | 12 Simatic Mv540 H, Simatic Mv540 H Firmware, Simatic Mv540 S and 9 more | 2023-12-10 | 6.0 MEDIUM | 8.0 HIGH |
A vulnerability has been identified in SIMATIC MV540 H (All versions < V3.3), SIMATIC MV540 S (All versions < V3.3), SIMATIC MV550 H (All versions < V3.3), SIMATIC MV550 S (All versions < V3.3), SIMATIC MV560 U (All versions < V3.3), SIMATIC MV560 X (All versions < V3.3). The web session management of affected devices does not invalidate session ids in certain logout scenarios. This could allow an authenticated remote attacker to hijack other users' sessions. | |||||
CVE-2022-30699 | 2 Fedoraproject, Nlnetlabs | 2 Fedora, Unbound | 2023-12-10 | N/A | 6.5 MEDIUM |
NLnet Labs Unbound, up to and including version 1.16.1, is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a rogue domain name when the cached delegation information is about to expire. The rogue nameserver delays the response so that the cached delegation information is expired. Upon receiving the delayed answer containing the delegation information, Unbound overwrites the now expired entries. This action can be repeated when the delegation information is about to expire making the rogue delegation information ever-updating. From version 1.16.2 on, Unbound stores the start time for a query and uses that to decide if the cached delegation information can be overwritten. | |||||
CVE-2019-5641 | 1 Rapid7 | 1 Insightvm | 2023-12-10 | N/A | 5.3 MEDIUM |
Rapid7 InsightVM suffers from an information exposure issue whereby, when the user's session has ended due to inactivity, an attacker can use the Inspect Element browser feature to remove the login panel and view the details available in the last webpage visited by previous user | |||||
CVE-2022-31050 | 1 Typo3 | 1 Typo3 | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
TYPO3 is an open source web content management system. Prior to versions 9.5.34 ELTS, 10.4.29, and 11.5.11, Admin Tool sessions initiated via the TYPO3 backend user interface had not been revoked even if the corresponding user account was degraded to lower permissions or disabled completely. This way, sessions in the admin tool theoretically could have been prolonged without any limit. TYPO3 versions 9.5.34 ELTS, 10.4.29, and 11.5.11 contain a fix for the problem. | |||||
CVE-2022-24743 | 1 Sylius | 1 Sylius | 2023-12-10 | 6.4 MEDIUM | 8.2 HIGH |
Sylius is an open source eCommerce platform. Prior to versions 1.10.11 and 1.11.2, the reset password token was not set to null after the password was changed. The same token could be used several times, which could result in leak of the existing token and unauthorized password change. The issue is fixed in versions 1.10.11 and 1.11.2. As a workaround, overwrite the `Sylius\Bundle\ApiBundle\CommandHandler\ResetPasswordHandler` class with code provided by the maintainers and register it in a container. More information about this workaround is available in the GitHub Security Advisory. | |||||
CVE-2022-24341 | 1 Jetbrains | 1 Teamcity | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
In JetBrains TeamCity before 2021.2.1, editing a user account to change its password didn't terminate sessions of the edited user. | |||||
CVE-2021-25992 | 1 If-me | 1 Ifme | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
In Ifme, versions 1.0.0 to v.7.33.2 don’t properly invalidate a user’s session even after the user initiated logout. It makes it possible for an attacker to reuse the admin cookies either via local/network access or by other hypothetical attacks. | |||||
CVE-2021-38986 | 1 Ibm | 1 Mq | 2023-12-10 | 5.5 MEDIUM | 5.4 MEDIUM |
IBM MQ Appliance 9.2 CD and 9.2 LTS does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 212942. | |||||
CVE-2022-2064 | 1 Xgenecloud | 1 Nocodb | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
Insufficient Session Expiration in GitHub repository nocodb/nocodb prior to 0.91.7+. | |||||
CVE-2022-23669 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
A remote authorization bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability. | |||||
CVE-2021-27751 | 1 Hcltechsw | 1 Hcl Commerce | 2023-12-10 | 1.9 LOW | 3.3 LOW |
HCL Commerce is affected by an Insufficient Session Expiration vulnerability. After the session expires, in some circumstances, parts of the application are still accessible. |