Total
302 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-35473 | 2024-11-19 | N/A | 9.1 CRITICAL | ||
An issue was discovered in LemonLDAP::NG before 2.0.12. There is a missing expiration check in the OAuth2.0 handler, i.e., it does not verify access token validity. An attacker can use a expired access token from an OIDC client to access the OAuth2 handler The earliest affected version is 2.0.4. | |||||
CVE-2024-11208 | 1 Apereo | 1 Central Authentication Service | 2024-11-19 | 2.6 LOW | 8.1 HIGH |
A vulnerability was found in Apereo CAS 6.6 and classified as problematic. Affected by this issue is some unknown functionality of the file /login?service. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
CVE-2024-52553 | 2024-11-15 | N/A | 8.8 HIGH | ||
Jenkins OpenId Connect Authentication Plugin 4.418.vccc7061f5b_6d and earlier does not invalidate the previous session on login. | |||||
CVE-2024-46892 | 1 Siemens | 1 Sinec Ins | 2024-11-13 | N/A | 8.1 HIGH |
A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). The affected application does not properly invalidate sessions when the associated user is deleted or disabled or their permissions are modified. This could allow an authenticated attacker to continue performing malicious actions even after their user account has been disabled. | |||||
CVE-2024-29402 | 2024-11-07 | N/A | 4.3 MEDIUM | ||
cskefu v7 suffers from Insufficient Session Expiration, which allows attackers to exploit the old session for malicious activity. | |||||
CVE-2024-46040 | 2024-11-04 | N/A | 6.5 MEDIUM | ||
IoT Haat Smart Plug IH-IN-16A-S IH-IN-16A-S v5.16.1 suffers from Insufficient Session Expiration. The lack of validation of the authentication token at the IoT Haat during the Access Point Pairing mode leads the attacker to replay the Wi-Fi packets and forcefully turn off the access point after the authentication token has expired. | |||||
CVE-2024-21722 | 2024-10-30 | N/A | 6.3 MEDIUM | ||
The MFA management features did not properly terminate existing user sessions when a user's MFA methods have been modified. | |||||
CVE-2024-48926 | 1 Umbraco | 1 Umbraco Cms | 2024-10-25 | N/A | 3.1 LOW |
Umbraco, a free and open source .NET content management system, has an insufficient session expiration issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. The Backoffice displays the logout page with a session timeout message before the server session has fully expired, causing users to believe they have been logged out approximately 30 seconds before they actually are. Versions 13.5.2, 10.8,7, and 8.18.15 contain a patch for the issue. | |||||
CVE-2024-25718 | 1 Dropbox | 1 Samly | 2024-10-21 | N/A | 9.8 CRITICAL |
In the Samly package before 1.4.0 for Elixir, Samly.State.Store.get_assertion/3 can return an expired session, which interferes with access control because Samly.AuthHandler uses a cached session and does not replace it, even after expiry. | |||||
CVE-2024-45462 | 1 Apache | 1 Cloudstack | 2024-10-17 | N/A | 7.1 HIGH |
The logout operation in the CloudStack web interface does not expire the user session completely which is valid until expiry by time or restart of the backend service. An attacker that has access to a user's browser can use an unexpired session to gain access to resources owned by the logged out user account. This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1. Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue. | |||||
CVE-2024-48827 | 2024-10-15 | N/A | 8.8 HIGH | ||
An issue in sbondCo Watcharr v.1.43.0 allows a remote attacker to execute arbitrary code and escalate privileges via the Change Password function. | |||||
CVE-2021-39113 | 1 Atlassian | 4 Data Center, Jira, Jira Data Center and 1 more | 2024-10-11 | 5.0 MEDIUM | 7.5 HIGH |
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions are before version 8.13.9, and from version 8.14.0 before 8.18.0. | |||||
CVE-2023-31065 | 1 Apache | 1 Inlong | 2024-10-09 | N/A | 9.1 CRITICAL |
Insufficient Session Expiration vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0. An old session can be used by an attacker even after the user has been deleted or the password has been changed. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7836 https://github.com/apache/inlong/pull/7836 , https://github.com/apache/inlong/pull/7884 https://github.com/apache/inlong/pull/7884 to solve it. | |||||
CVE-2024-23586 | 1 Hcltech | 2 Domino, Hcl Nomad | 2024-10-07 | N/A | 7.5 HIGH |
HCL Nomad is susceptible to an insufficient session expiration vulnerability. Under certain circumstances, an unauthenticated attacker could obtain old session information. | |||||
CVE-2024-8888 | 1 Circutor | 2 Q-smt, Q-smt Firmware | 2024-10-01 | N/A | 7.5 HIGH |
An attacker with access to the network where CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could steal the tokens used on the web, since these have no expiration date to access the web application without restrictions. Token theft can originate from different methods such as network captures, locally stored web information, etc. | |||||
CVE-2022-38382 | 1 Ibm | 2 Cloud Pak For Security, Qradar Suite | 2024-09-21 | N/A | 4.1 MEDIUM |
IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Suite Software 1.10.12.0 through 1.10.23.0 does not invalidate session after logout which could allow another authenticated user to obtain sensitive information. IBM X-Force ID: 233672. | |||||
CVE-2024-38315 | 1 Ibm | 1 Aspera Shares | 2024-09-20 | N/A | 6.5 MEDIUM |
IBM Aspera Shares 1.0 through 1.10.0 PL3 does not invalidate session after a password reset which could allow an authenticated user to impersonate another user on the system. | |||||
CVE-2019-5638 | 1 Rapid7 | 1 Nexpose | 2024-09-16 | 6.8 MEDIUM | 8.7 HIGH |
Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user account's current session is still valid after the password change, potentially allowing the attacker who originally compromised the credential to remain logged in and able to cause further damage. | |||||
CVE-2024-32006 | 2024-09-10 | N/A | 4.3 MEDIUM | ||
A vulnerability has been identified in SINEMA Remote Connect Client (All versions < V3.2 SP2). The affected application does not expire the user session on reboot without logout. This could allow an attacker to bypass Multi-Factor Authentication. | |||||
CVE-2023-51772 | 1 Oneidentity | 1 Password Manager | 2024-09-09 | N/A | 8.8 HIGH |
One Identity Password Manager before 5.13.1 allows Kiosk Escape. This product enables users to reset their Active Directory passwords on the login screen of a Windows client. It launches a Chromium based browser in Kiosk mode to provide the reset functionality. The escape sequence is: wait for a session timeout, click on the Help icon, observe that there is a browser window for the One Identity website, navigate to any website that offers file upload, navigate to cmd.exe from the file explorer window, and launch cmd.exe as NT AUTHORITY\SYSTEM. |