Total
289 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-39113 | 1 Atlassian | 4 Data Center, Jira, Jira Data Center and 1 more | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions are before version 8.13.9, and from version 8.14.0 before 8.18.0. | |||||
CVE-2021-20378 | 1 Ibm | 1 Guardium Data Encryption | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
IBM Guardium Data Encryption (GDE) 3.0.0.2 and 4.0.0.4 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 195709. | |||||
CVE-2021-20431 | 3 Ibm, Linux, Microsoft | 3 I2 Analysts Notebook, Linux Kernel, Windows | 2023-12-10 | 4.3 MEDIUM | 6.5 MEDIUM |
IBM i2 Analyst's Notebook Premium 9.2.0, 9.2.1, and 9.2.2 does not invalidate session after logout which could allow an an attacker to obtain sensitive information from the system. IBM X-Force ID: 196342. | |||||
CVE-2021-35342 | 1 Northern.tech | 2 Mender, Useradm | 2023-12-10 | 4.3 MEDIUM | 7.5 HIGH |
The useradm service 1.14.0 (in Northern.tech Mender Enterprise 2.7.x before 2.7.1) and 1.13.0 (in Northern.tech Mender Enterprise 2.6.x before 2.6.1) allows users to access the system with their JWT token after logout, because of missing invalidation (if the JWT verification cache is enabled). | |||||
CVE-2021-34428 | 4 Debian, Eclipse, Netapp and 1 more | 16 Debian Linux, Jetty, Active Iq Unified Manager and 13 more | 2023-12-10 | 3.6 LOW | 3.5 LOW |
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in. | |||||
CVE-2020-29012 | 1 Fortinet | 1 Fortisandbox | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
An insufficient session expiration vulnerability in FortiSandbox versions 3.2.1 and below may allow an attacker to reuse the unexpired admin user session IDs to gain information about other users configured on the device, should the attacker be able to obtain that session ID (via other, hypothetical attacks) | |||||
CVE-2021-37156 | 1 Redmine | 1 Redmine | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Redmine 4.2.0 and 4.2.1 allow existing user sessions to continue upon enabling two-factor authentication for the user's account, but the intended behavior is for those sessions to be terminated. | |||||
CVE-2021-22136 | 1 Elastic | 1 Kibana | 2023-12-10 | 3.6 LOW | 3.5 LOW |
In Kibana versions before 7.12.0 and 6.8.15 a flaw in the session timeout was discovered where the xpack.security.session.idleTimeout setting is not being respected. This was caused by background polling activities unintentionally extending authenticated users sessions, preventing a user session from timing out. | |||||
CVE-2021-37693 | 1 Discourse | 1 Discourse | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta4, when adding additional email addresses to an existing account on a Discourse site an email token is generated as part of the email verification process. Deleting the additional email address does not invalidate an unused token which can then be used in other contexts, including reseting a password. | |||||
CVE-2021-26037 | 1 Joomla | 1 Joomla\! | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
An issue was discovered in Joomla! 2.5.0 through 3.9.27. CMS functions did not properly termine existing user sessions when a user's password was changed or the user was blocked. | |||||
CVE-2020-10709 | 1 Redhat | 1 Ansible Tower | 2023-12-10 | 3.6 LOW | 7.1 HIGH |
A security flaw was found in Ansible Tower when requesting an OAuth2 token with an OAuth2 application. Ansible Tower uses the token to provide authentication. This flaw allows an attacker to obtain a refresh token that does not expire. The original token granted to the user still has access to Ansible Tower, which allows any user that can gain access to the token to be fully authenticated to Ansible Tower. This flaw affects Ansible Tower versions before 3.6.4 and Ansible Tower versions before 3.5.6. | |||||
CVE-2021-30943 | 1 Apple | 4 Ipados, Iphone Os, Macos and 1 more | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
An issue in the handling of group membership was resolved with improved logic. This issue is fixed in iOS 15.2 and iPadOS 15.2, watchOS 8.3, macOS Monterey 12.1. A malicious user may be able to leave a messages group but continue to receive messages in that group. | |||||
CVE-2021-33322 | 1 Liferay | 2 Dxp, Liferay Portal | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user’s password via the old password reset token. | |||||
CVE-2021-31408 | 1 Vaadin | 2 Flow, Vaadin | 2023-12-10 | 3.3 LOW | 7.1 HIGH |
Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out. | |||||
CVE-2021-22221 | 1 Gitlab | 1 Gitlab | 2023-12-10 | 6.4 MEDIUM | 6.5 MEDIUM |
An issue has been discovered in GitLab affecting all versions starting from 12.9.0 before 13.10.5, all versions starting from 13.11.0 before 13.11.5, all versions starting from 13.12.0 before 13.12.2. Insufficient expired password validation in various operations allow user to maintain limited access after their password expired | |||||
CVE-2021-32923 | 1 Hashicorp | 1 Vault | 2023-12-10 | 5.8 MEDIUM | 7.4 HIGH |
HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2. | |||||
CVE-2020-4780 | 1 Ibm | 1 Curam Social Program Management | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
OOTB build scripts does not set the secure attribute on session cookie which may impact IBM Curam Social Program Management 7.0.9 and 7.0,10. The purpose of the 'secure' attribute is to prevent cookies from being observed by unauthorized parties. IBM X-Force ID: 189158. | |||||
CVE-2020-6649 | 1 Fortinet | 1 Fortiisolator | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
An insufficient session expiration vulnerability in FortiNet's FortiIsolator version 2.0.1 and below may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID (via other, hypothetical attacks) | |||||
CVE-2020-15220 | 1 Combodo | 1 Itop | 2023-12-10 | 5.8 MEDIUM | 6.1 MEDIUM |
Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, two cookies are created for the same session, which leads to a possibility to steal user session. This is fixed in versions 2.7.2 and 3.0.0. | |||||
CVE-2020-15269 | 1 Sparksolutions | 1 Spree | 2023-12-10 | 6.4 MEDIUM | 9.1 CRITICAL |
In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround without upgrading is described in the linked advisory. |