Total
273 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-35857 | 1 Siren | 1 Investigate | 2024-02-04 | N/A | 9.8 CRITICAL |
In Siren Investigate before 13.2.2, session keys remain active even after logging out. | |||||
CVE-2023-0041 | 2 Ibm, Linux | 2 Security Guardium, Linux Kernel | 2024-02-04 | N/A | 8.8 HIGH |
IBM Security Guardium 11.5 could allow a user to take over another user's session due to insufficient session expiration. IBM X-Force ID: 243657. | |||||
CVE-2023-31139 | 1 Dhis2 | 1 Dhis 2 | 2024-02-04 | N/A | 7.5 HIGH |
DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.37 branch and prior to versions 2.37.9.1, 2.38.3.1, and 2.39.1.2, Personal Access Tokens (PATs) generate unrestricted session cookies. This may lead to a bypass of other access restrictions (for example, based on allowed IP addresses or HTTP methods). DHIS2 implementers should upgrade to a supported version of DHIS2: 2.37.9.1, 2.38.3.1, or 2.39.1.2. Implementers can work around this issue by adding extra access control validations on a reverse proxy. | |||||
CVE-2023-25562 | 1 Datahub Project | 1 Datahub | 2024-02-04 | N/A | 9.8 CRITICAL |
DataHub is an open-source metadata platform. In versions of DataHub prior to 0.8.45 Session cookies are only cleared on new sign-in events and not on logout events. Any authentication checks using the `AuthUtils.hasValidSessionCookie()` method could be bypassed by using a cookie from a logged out session, as a result any logged out session cookie may be accepted as valid and therefore lead to an authentication bypass to the system. Users are advised to upgrade. There are no known workarounds for this issue. This vulnerability was discovered and reported by the GitHub Security lab and is tracked as GHSL-2022-083. | |||||
CVE-2022-36179 | 1 Fusiondirectory | 1 Fusiondirectory | 2024-02-04 | N/A | 9.8 CRITICAL |
Fusiondirectory 1.3 suffers from Improper Session Handling. | |||||
CVE-2022-47406 | 1 Change Password For Frontend Users Project | 1 Change Password For Frontend Users | 2024-02-04 | N/A | 9.8 CRITICAL |
An issue was discovered in the fe_change_pwd (aka Change password for frontend users) extension before 2.0.5, and 3.x before 3.0.3, for TYPO3. The extension fails to revoke existing sessions for the current user when the password has been changed. | |||||
CVE-2023-22771 | 1 Arubanetworks | 24 7010, 7030, 7205 and 21 more | 2024-02-04 | N/A | 2.4 LOW |
An insufficient session expiration vulnerability exists in the ArubaOS command line interface. Successful exploitation of this vulnerability allows an attacker to keep a session running on an affected device after the removal of the impacted account | |||||
CVE-2022-40228 | 1 Ibm | 1 Datapower Gateway | 2024-02-04 | N/A | 5.4 MEDIUM |
IBM DataPower Gateway 10.0.3.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.9, 2018.4.1.0 through 2018.4.1.22, and 10.5.0.0 through 10.5.0.2 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235527. | |||||
CVE-2023-22591 | 1 Ibm | 2 Robotic Process Automation, Robotic Process Automation As A Service | 2024-02-04 | N/A | 3.2 LOW |
IBM Robotic Process Automation 21.0.1 through 21.0.7 and 23.0.0 through 23.0.1 could allow a user with physical access to the system due to session tokens for not being invalidated after a password reset. IBM X-Force ID: 243710. | |||||
CVE-2023-23929 | 1 Vantage6 | 1 Vantage6 | 2024-02-04 | N/A | 8.8 HIGH |
vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Currently, the refresh token is valid indefinitely. The refresh token should get a validity of 24-48 hours. A fix was released in version 3.8.0. | |||||
CVE-2022-23502 | 1 Typo3 | 1 Typo3 | 2024-02-04 | N/A | 5.4 MEDIUM |
TYPO3 is an open source PHP based web content management system. In versions prior to 10.4.33, 11.5.20, and 12.1.1, When users reset their password using the corresponding password recovery functionality, existing sessions for that particular user account were not revoked. This applied to both frontend user sessions and backend user sessions. This issue is patched in versions 10.4.33, 11.5.20, 12.1.1. | |||||
CVE-2022-4070 | 1 Librenms | 1 Librenms | 2024-02-04 | N/A | 9.8 CRITICAL |
Insufficient Session Expiration in GitHub repository librenms/librenms prior to 22.10.0. | |||||
CVE-2022-34392 | 1 Dell | 1 Supportassist For Home Pcs | 2024-02-04 | N/A | 5.5 MEDIUM |
SupportAssist for Home PCs (versions 3.11.4 and prior) contain an insufficient session expiration Vulnerability. An authenticated non-admin user can be able to obtain the refresh token and that leads to reuse the access token and fetch sensitive information. | |||||
CVE-2023-27891 | 1 Rami | 1 Pretix | 2024-02-04 | N/A | 7.5 HIGH |
rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. The fixed versions are 4.15.1, 4.16.1, and 4.17.1. | |||||
CVE-2022-48317 | 1 Tribe29 | 1 Checkmk | 2024-02-04 | N/A | 9.8 CRITICAL |
Expired sessions were not securely terminated in the RestAPI for Tribe29's Checkmk <= 2.1.0p10 and Checkmk <= 2.0.0p28 allowing an attacker to use expired session tokens when communicating with the RestAPI. | |||||
CVE-2022-41542 | 1 Devhubapp | 1 Devhub | 2024-02-04 | N/A | 5.4 MEDIUM |
devhub 0.102.0 was discovered to contain a broken session control. | |||||
CVE-2021-46279 | 1 Lannerinc | 2 Iac-ast2500a, Iac-ast2500a Firmware | 2024-02-04 | N/A | 8.8 HIGH |
Session fixation and insufficient session expiration vulnerabilities allow an attacker to perfom session hijacking attacks against users. This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0. | |||||
CVE-2022-41291 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2024-02-04 | N/A | 6.5 MEDIUM |
IBM InfoSphere Information Server 11.7 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 236699. | |||||
CVE-2022-31145 | 1 Flyte | 1 Flyteadmin | 2024-02-04 | N/A | 6.5 MEDIUM |
FlyteAdmin is the control plane for Flyte responsible for managing entities and administering workflow executions. In versions 1.1.30 and prior, authenticated users using an external identity provider can continue to use Access Tokens and ID Tokens even after they expire. Users who use FlyteAdmin as the OAuth2 Authorization Server are unaffected by this issue. A patch is available on the `master` branch of the repository. As a workaround, rotating signing keys immediately will invalidate all open sessions and force all users to attempt to obtain new tokens. Those who use this workaround should continue to rotate keys until FlyteAdmin has been upgraded and hide FlyteAdmin deployment ingress URL from the internet. | |||||
CVE-2022-2306 | 1 Heroiclabs | 1 Nakama | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
Old session tokens can be used to authenticate to the application and send authenticated requests. |