Total
273 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-4253 | 1 Ibm | 1 Content Navigator | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| IBM Content Navigator 3.0CD does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 175559. | |||||
| CVE-2017-18905 | 1 Mattermost | 1 Mattermost Server | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session invalidation was mishandled. | |||||
| CVE-2020-5774 | 1 Tenable | 1 Nessus | 2024-02-04 | 3.6 LOW | 7.1 HIGH |
| Nessus versions 8.11.0 and earlier were found to maintain sessions longer than the permitted period in certain scenarios. The lack of proper session expiration could allow attackers with local access to login into an existing browser session. | |||||
| CVE-2020-8234 | 1 Ui | 12 Edgemax Firmware, Ep-s16, Es-12f and 9 more | 2024-02-04 | 10.0 HIGH | 9.8 CRITICAL |
| A vulnerability exists in The EdgeMax EdgeSwitch firmware <v1.9.1 where the EdgeSwitch legacy web interface SIDSSL cookie for admin can be guessed, enabling the attacker to obtain high privileges and get a root shell by a Command injection. | |||||
| CVE-2020-1776 | 1 Otrs | 1 Otrs | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28 and prior versions. OTRS: 7.0.18 and prior versions, 8.0.4. and prior versions. | |||||
| CVE-2020-17473 | 1 Zkteco | 3 Facedepot 7b, Facedepot 7b Firmware, Zkbiosecurity Server | 2024-02-04 | 4.3 MEDIUM | 5.9 MEDIUM |
| Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server. | |||||
| CVE-2020-1762 | 2 Kiali, Redhat | 2 Kiali, Openshift Service Mesh | 2024-02-04 | 7.5 HIGH | 8.6 HIGH |
| An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration. | |||||
| CVE-2020-11795 | 1 Jetbrains | 1 Space | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| In JetBrains Space through 2020-04-22, the session timeout period was configured improperly. | |||||
| CVE-2020-1724 | 1 Redhat | 3 Keycloak, Openshift Application Runtimes, Single Sign-on | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section. | |||||
| CVE-2020-12690 | 1 Openstack | 1 Keystone | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access. | |||||
| CVE-2020-17474 | 1 Zkteco | 3 Facedepot 7b, Facedepot 7b Firmware, Zkbiosecurity Server | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| A token-reuse vulnerability in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to create arbitrary new users, elevate users to administrators, delete users, and download user faces from the database. | |||||
| CVE-2020-8867 | 1 Opcfoundation | 1 Unified Architecture .net-standard | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of OPC Foundation UA .NET Standard 1.04.358.30. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of sessions. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to create a denial-of-service condition against the application. Was ZDI-CAN-10295. | |||||
| CVE-2016-11058 | 1 Netgear | 1 Genie | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| The NETGEAR genie application before 2.4.34 for Android is affected by mishandling of hard-coded API keys and session IDs. | |||||
| CVE-2020-13305 | 1 Gitlab | 1 Gitlab | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was not invalidating project invitation link upon removing a user from a project. | |||||
| CVE-2019-10229 | 1 Mailstore | 2 Mailstore, Mailstore Server | 2024-02-04 | 6.0 MEDIUM | 8.8 HIGH |
| An issue was discovered in MailStore Server (and Service Provider Edition) 9.x through 11.x before 11.2.2. When the directory service (for synchronizing and authenticating users) is set to Generic LDAP, an attacker is able to login as an existing user with an arbitrary password on the second login attempt. | |||||
| CVE-2019-11106 | 1 Intel | 2 Converged Security Management Engine Firmware, Trusted Execution Engine Firmware | 2024-02-04 | 4.6 MEDIUM | 6.7 MEDIUM |
| Insufficient session validation in the subsystem for Intel(R) CSME before versions 11.8.70, 12.0.45, 13.0.10 and 14.0.10; Intel(R) TXE before versions 3.1.70 and 4.0.20 may allow a privileged user to potentially enable escalation of privilege via local access. | |||||
| CVE-2020-6178 | 1 Sap | 1 Enable Now | 2024-02-04 | 5.5 MEDIUM | 5.4 MEDIUM |
| SAP Enable Now, before version 1911, sends the Session ID cookie value in URL. This might be stolen from the browser history or log files, leading to Information Disclosure. | |||||
| CVE-2019-8803 | 1 Apple | 5 Ipados, Iphone Os, Mac Os X and 2 more | 2024-02-04 | 4.6 MEDIUM | 8.4 HIGH |
| An authentication issue was addressed with improved state management. This issue is fixed in iOS 13.2 and iPadOS 13.2, macOS Catalina 10.15.1, tvOS 13.2, watchOS 6.1. A local attacker may be able to login to the account of a previously logged in user without valid credentials.. | |||||
| CVE-2019-11168 | 1 Intel | 85 Baseboard Management Controller Firmware, Bbs2600bpb, Bbs2600bpbr and 82 more | 2024-02-04 | 6.4 MEDIUM | 9.1 CRITICAL |
| Insufficient session validation in Intel(R) Baseboard Management Controller firmware may allow an unauthenticated user to potentially enable information disclosure and/or denial of service via network access. | |||||
| CVE-2019-17375 | 1 Cpanel | 1 Cpanel | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| cPanel before 82.0.15 allows API token credentials to persist after an account has been renamed or terminated (SEC-517). | |||||