Total
273 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-9269 | 1 Google | 1 Android | 2024-02-04 | 4.4 MEDIUM | 7.3 HIGH |
| In System Settings, there is a possible permissions bypass due to a cached Linux user ID. This could lead to a local permissions bypass with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-36899497 | |||||
| CVE-2014-2595 | 1 Barracuda | 1 Web Application Firewall | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string. | |||||
| CVE-2019-8149 | 1 Magento | 1 Magento | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can append arbitrary session id that will not be invalidated by subsequent authentication. | |||||
| CVE-2016-11014 | 1 Netgear | 2 Jnr1010, Jnr1010 Firmware | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| NETGEAR JNR1010 devices before 1.0.0.32 have Incorrect Access Control because the ok value of the auth cookie is a special case. | |||||
| CVE-2019-5647 | 1 Rapid7 | 1 Appspider | 2024-02-04 | 3.6 LOW | 7.1 HIGH |
| The Chrome Plugin for Rapid7 AppSpider can incorrectly keep browser sessions active after recording a macro, even after a restart of the Chrome browser. This behavior could make future session hijacking attempts easier, since the user could believe a session was closed when it was not. This issue affects Rapid7 AppSpider version 3.8.213 and prior versions, and is fixed in version 3.8.215. | |||||
| CVE-2020-1768 | 1 Otrs | 1 Otrs | 2024-02-04 | 5.5 MEDIUM | 5.4 MEDIUM |
| The external frontend system uses numerous background calls to the backend. Each background request is treated as user activity so the SessionMaxIdleTime will not be reached. This issue affects: OTRS 7.0.x version 7.0.14 and prior versions. | |||||
| CVE-2020-0621 | 1 Microsoft | 3 Windows 10, Windows Server 2016, Windows Server 2019 | 2024-02-04 | 2.1 LOW | 4.4 MEDIUM |
| A security feature bypass vulnerability exists in Windows 10 when third party filters are called during a password update, aka 'Windows Security Feature Bypass Vulnerability'. | |||||
| CVE-2020-6197 | 1 Sap | 1 Enable Now | 2024-02-04 | 2.1 LOW | 3.3 LOW |
| SAP Enable Now, before version 1908, does not invalidate session tokens in a timely manner. The Insufficient Session Expiration may allow attackers with local access, for instance, to still download the portables. | |||||
| CVE-2019-12421 | 1 Apache | 1 Nifi | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi. | |||||
| CVE-2018-21018 | 1 Joinmastodon | 1 Mastodon | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions. | |||||
| CVE-2019-5462 | 1 Gitlab | 1 Gitlab | 2024-02-04 | 6.8 MEDIUM | 8.8 HIGH |
| A privilege escalation issue was discovered in GitLab CE/EE 9.0 and later when trigger tokens are not rotated once ownership of them has changed. | |||||
| CVE-2019-5638 | 1 Rapid7 | 1 Nexpose | 2024-02-04 | 6.8 MEDIUM | 8.7 HIGH |
| Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user account's current session is still valid after the password change, potentially allowing the attacker who originally compromised the credential to remain logged in and able to cause further damage. | |||||
| CVE-2019-2386 | 1 Mongodb | 1 Mongodb | 2024-02-04 | 6.0 MEDIUM | 7.1 HIGH |
| After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22. Workaround: After deleting one or more users, restart any nodes which may have had active user authorization sessions. Refrain from creating user accounts with the same name as previously deleted accounts. | |||||
| CVE-2019-7215 | 1 Progress | 1 Sitefinity | 2024-02-04 | 6.4 MEDIUM | 6.5 MEDIUM |
| Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. It instead tries to overwrite the cookie in the browser, but it remains valid on the server side. This means the cookie can be reused to maintain access to the account, even if the account credentials and permissions are changed. | |||||
| CVE-2019-7280 | 1 Primasystems | 1 Flexair | 2024-02-04 | 4.0 MEDIUM | 8.8 HIGH |
| Prima Systems FlexAir, Versions 2.3.38 and prior. The session-ID is of an insufficient length and can be exploited by brute force, which may allow a remote attacker to obtain a valid session and bypass authentication. | |||||
| CVE-2019-1003049 | 3 Jenkins, Oracle, Redhat | 3 Jenkins, Communications Cloud Native Core Automated Test Suite, Openshift Container Platform | 2024-02-04 | 6.8 MEDIUM | 8.1 HIGH |
| Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches. | |||||
| CVE-2019-5531 | 1 Vmware | 3 Esxi, Vcenter Server, Vsphere Esxi | 2024-02-04 | 5.8 MEDIUM | 5.4 MEDIUM |
| VMware vSphere ESXi (6.7 prior to ESXi670-201810101-SG, 6.5 prior to ESXi650-201811102-SG, and 6.0 prior to ESXi600-201807103-SG) and VMware vCenter Server (6.7 prior to 6.7 U1b, 6.5 prior to 6.5 U2b, and 6.0 prior to 6.0 U3j) contain an information disclosure vulnerability in clients arising from insufficient session expiration. An attacker with physical access or an ability to mimic a websocket connection to a user’s browser may be able to obtain control of a VM Console after the user has logged out or their session has timed out. | |||||
| CVE-2019-4072 | 1 Ibm | 2 Spectrum Control, Tivoli Storage Productivity Center | 2024-02-04 | 6.5 MEDIUM | 6.3 MEDIUM |
| IBM Tivoli Storage Productivity Center (IBM Spectrum Control Standard Edition 5.2.1 through 5.2.17) allows users to remain idle within the application even when a user has logged out. Utilizing the application back button users can remain logged in as the current user for a short period of time, therefore users are presented with information for Spectrum Control Application. IBM X-Force ID: 157064. | |||||
| CVE-2019-14826 | 2 Freeipa, Redhat | 2 Freeipa, Enterprise Linux | 2024-02-04 | 2.1 LOW | 4.4 MEDIUM |
| A flaw was found in FreeIPA versions 4.5.0 and later. Session cookies were retained in the cache after logout. An attacker could abuse this flaw if they obtain previously valid session cookies and can use this to gain access to the session. | |||||
| CVE-2019-6584 | 1 Siemens | 2 Logo\!8, Logo\!8 Firmware | 2024-02-04 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability has been identified in SIEMENS LOGO!8 (6ED1052-xyyxx-0BA8 FS:01 to FS:06 / Firmware version V1.80.xx and V1.81.xx), SIEMENS LOGO!8 (6ED1052-xyy08-0BA0 FS:01 / Firmware version < V1.82.02). The integrated webserver does not invalidate the Session ID upon user logout. An attacker that successfully extracted a valid Session ID is able to use it even after the user logs out. The security vulnerability could be exploited by an attacker in a privileged network position who is able to read the communication between the affected device and the user or by an attacker who is able to obtain valid Session IDs through other means. The user must invoke a session to the affected device. At the time of advisory publication no public exploitation of this security vulnerability was known. | |||||