Total
413 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-22732 | 1 Shopware | 1 Shopware | 2024-11-21 | N/A | 3.7 LOW |
| Shopware is an open source commerce platform based on Symfony Framework and Vue js. The Administration session expiration was set to one week, when an attacker has stolen the session cookie they could use it for a long period of time. In version 6.4.18.1 an automatic logout into the Administration session has been added. As a result the user will be logged out when they are inactive. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2023-22591 | 1 Ibm | 2 Robotic Process Automation, Robotic Process Automation As A Service | 2024-11-21 | N/A | 3.9 LOW |
| IBM Robotic Process Automation 21.0.1 through 21.0.7 and 23.0.0 through 23.0.1 could allow a user with physical access to the system due to session tokens for not being invalidated after a password reset. IBM X-Force ID: 243710. | |||||
| CVE-2023-22492 | 1 Zitadel | 1 Zitadel | 2024-11-21 | N/A | 5.9 MEDIUM |
| ZITADEL is a combination of Auth0 and Keycloak. RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user's session without the need for interacting with a UI. RefreshTokens were not invalidated when a user was locked or deactivated. The deactivated or locked user was able to obtain a valid access token only through a refresh token grant. When the locked or deactivated user’s session was already terminated (“logged out”) then it was not possible to create a new session. Renewal of access token through a refresh token grant is limited to the configured amount of time (RefreshTokenExpiration). As a workaround, ensure the RefreshTokenExpiration in the OIDC settings of your instance is set according to your security requirements. This issue has been patched in versions 2.17.3 and 2.16.4. | |||||
| CVE-2023-1854 | 1 Online Graduate Tracer System Project | 1 Online Graduate Tracer System | 2024-11-21 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability, which was classified as problematic, was found in SourceCodester Online Graduate Tracer System 1.0. Affected is an unknown function of the file admin/. The manipulation leads to session expiration. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-224994 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-1788 | 1 Firefly-iii | 1 Firefly Iii | 2024-11-21 | N/A | 9.8 CRITICAL |
| Insufficient Session Expiration in GitHub repository firefly-iii/firefly-iii prior to 6. | |||||
| CVE-2023-1543 | 1 Answer | 1 Answer | 2024-11-21 | N/A | 8.8 HIGH |
| Insufficient Session Expiration in GitHub repository answerdev/answer prior to 1.0.6. | |||||
| CVE-2023-0227 | 1 Pyload | 1 Pyload | 2024-11-21 | N/A | 6.5 MEDIUM |
| Insufficient Session Expiration in GitHub repository pyload/pyload prior to 0.5.0b3.dev36. | |||||
| CVE-2023-0041 | 2 Ibm, Linux | 2 Security Guardium, Linux Kernel | 2024-11-21 | N/A | 6.3 MEDIUM |
| IBM Security Guardium 11.5 could allow a user to take over another user's session due to insufficient session expiration. IBM X-Force ID: 243657. | |||||
| CVE-2022-4070 | 1 Librenms | 1 Librenms | 2024-11-21 | N/A | 9.8 CRITICAL |
| Insufficient Session Expiration in GitHub repository librenms/librenms prior to 22.10.0. | |||||
| CVE-2022-48317 | 1 Checkmk | 1 Checkmk | 2024-11-21 | N/A | 5.6 MEDIUM |
| Expired sessions were not securely terminated in the RestAPI for Tribe29's Checkmk <= 2.1.0p10 and Checkmk <= 2.0.0p28 allowing an attacker to use expired session tokens when communicating with the RestAPI. | |||||
| CVE-2022-46177 | 1 Discourse | 1 Discourse | 2024-11-21 | N/A | 5.7 MEDIUM |
| Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 3.0.0.beta16 on the `beta` and `tests-passed` branches, when a user requests for a password reset link email, then changes their primary email, the old reset email is still valid. When the old reset email is used to reset the password, the Discourse account's primary email would be re-linked to the old email. If the old email address is compromised or has transferred ownership, this leads to an account takeover. This is however mitigated by the SiteSetting `email_token_valid_hours` which is currently 48 hours. Users should upgrade to versions 2.8.14 or 3.0.0.beta15 to receive a patch. As a workaround, lower `email_token_valid_hours ` as needed. | |||||
| CVE-2022-41672 | 1 Apache | 1 Airflow | 2024-11-21 | N/A | 8.1 HIGH |
| In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API. | |||||
| CVE-2022-41291 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2024-11-21 | N/A | 6.5 MEDIUM |
| IBM InfoSphere Information Server 11.7 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 236699. | |||||
| CVE-2022-40228 | 1 Ibm | 1 Datapower Gateway | 2024-11-21 | N/A | 3.7 LOW |
| IBM DataPower Gateway 10.0.3.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.9, 2018.4.1.0 through 2018.4.1.22, and 10.5.0.0 through 10.5.0.2 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235527. | |||||
| CVE-2022-3916 | 1 Redhat | 7 Enterprise Linux, Keycloak, Openshift Container Platform and 4 more | 2024-11-21 | N/A | 6.8 MEDIUM |
| A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user. | |||||
| CVE-2022-3362 | 1 Ikus-soft | 1 Rdiffweb | 2024-11-21 | N/A | 9.8 CRITICAL |
| Insufficient Session Expiration in GitHub repository ikus060/rdiffweb prior to 2.5.0. | |||||
| CVE-2022-3080 | 2 Fedoraproject, Isc | 2 Fedora, Bind | 2024-11-21 | N/A | 7.5 HIGH |
| By sending specific queries to the resolver, an attacker can cause named to crash. | |||||
| CVE-2022-39234 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A | 4.7 MEDIUM |
| GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Deleted/deactivated user could continue to use their account as long as its cookie is valid. This issue has been patched, please upgrade to version 10.0.4. There are currently no known workarounds. | |||||
| CVE-2022-38707 | 1 Ibm | 1 Cognos Command Center | 2024-11-21 | N/A | 4.0 MEDIUM |
| IBM Cognos Command Center 10.2.4.1 could allow a local attacker to obtain sensitive information due to insufficient session expiration. IBM X-Force ID: 234179. | |||||
| CVE-2022-35728 | 1 F5 | 12 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 9 more | 2024-11-21 | N/A | 8.1 HIGH |
| In BIG-IP Versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and all versions of 13.1.x, and BIG-IQ version 8.x before 8.2.0 and all versions of 7.x, an authenticated user's iControl REST token may remain valid for a limited time after logging out from the Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||