Total
273 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-23669 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| A remote authorization bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability. | |||||
| CVE-2021-3461 | 1 Redhat | 2 Keycloak, Single Sign-on | 2024-02-04 | 3.3 LOW | 7.1 HIGH |
| A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name]. | |||||
| CVE-2022-23063 | 1 Shopizer | 1 Shopizer | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| In Shopizer versions 2.3.0 to 3.0.1 are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed. | |||||
| CVE-2022-24341 | 1 Jetbrains | 1 Teamcity | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| In JetBrains TeamCity before 2021.2.1, editing a user account to change its password didn't terminate sessions of the edited user. | |||||
| CVE-2022-22317 | 5 Hp, Ibm, Linux and 2 more | 7 Hp-ux, Aix, Curam Social Program Management and 4 more | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| IBM Curam Social Program Management 8.0.0 and 8.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 218281. | |||||
| CVE-2021-38986 | 1 Ibm | 1 Mq | 2024-02-04 | 5.5 MEDIUM | 5.4 MEDIUM |
| IBM MQ Appliance 9.2 CD and 9.2 LTS does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 212942. | |||||
| CVE-2022-24744 | 1 Shopware | 1 Shopware | 2024-02-04 | 3.5 LOW | 3.5 LOW |
| Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions user sessions are not logged out if the password is reset via password recovery. This issue has been resolved in version 6.4.8.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. | |||||
| CVE-2022-24332 | 1 Jetbrains | 1 Teamcity | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| In JetBrains TeamCity before 2021.2, a logout action didn't remove a Remember Me cookie. | |||||
| CVE-2022-30277 | 1 Bd | 1 Synapsys | 2024-02-04 | 3.6 LOW | 5.7 MEDIUM |
| BD Synapsys™, versions 4.20, 4.20 SR1, and 4.30, contain an insufficient session expiration vulnerability. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). | |||||
| CVE-2022-22283 | 1 Samsung | 1 Health | 2024-02-04 | 2.1 LOW | 3.3 LOW |
| Improper session management vulnerability in Samsung Health prior to 6.20.1.005 prevents logging out from Samsung Health App. | |||||
| CVE-2022-22113 | 1 Daybydaycrm | 1 Daybyday | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| In DayByDay CRM, versions 2.2.0 through 2.2.1 (latest) are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed. | |||||
| CVE-2021-41247 | 1 Jupyter | 1 Jupyterhub | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| JupyterHub is an open source multi-user server for Jupyter notebooks. In affected versions users who have multiple JupyterLab tabs open in the same browser session, may see incomplete logout from the single-user server, as fresh credentials (for the single-user server only, not the Hub) reinstated after logout, if another active JupyterLab session is open while the logout takes place. Upgrade to JupyterHub 1.5. For distributed deployments, it is jupyterhub in the _user_ environment that needs patching. There are no patches necessary in the Hub environment. The only workaround is to make sure that only one JupyterLab tab is open when you log out. | |||||
| CVE-2021-25979 | 1 Apostrophecms | 1 Apostrophecms | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| Apostrophe CMS versions prior to 3.3.1 did not invalidate existing login sessions when disabling a user account or changing the password, creating a situation in which a device compromised by a third party could not be locked out by those means. As a mitigation for older releases the user account in question can be archived (3.x) or moved to the trash (2.x and earlier) which does disable the existing session. | |||||
| CVE-2021-25985 | 1 Darwin | 1 Factor | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| In Factor (App Framework & Headless CMS) v1.0.4 to v1.8.30, improperly invalidate a user’s session even after the user logs out of the application. In addition, user sessions are stored in the browser’s local storage, which by default does not have an expiration time. This makes it possible for an attacker to steal and reuse the cookies using techniques such as XSS attacks, followed by a local account takeover. | |||||
| CVE-2021-40849 | 1 Mahara | 1 Mahara | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, the account associated with a web services token is vulnerable to being exploited and logged into, resulting in information disclosure (at a minimum) and often escalation of privileges. | |||||
| CVE-2021-45885 | 1 Stormshield | 1 Network Security | 2024-02-04 | 4.3 MEDIUM | 7.5 HIGH |
| An issue was discovered in Stormshield Network Security (SNS) 4.2.2 through 4.2.7 (fixed in 4.2.8). Under a specific update-migration scenario, the first SSH password change does not properly clear the old password. | |||||
| CVE-2021-25981 | 1 Talkyard | 1 Talkyard | 2024-02-04 | 10.0 HIGH | 9.8 CRITICAL |
| In Talkyard, regular versions v0.2021.20 through v0.2021.33 and dev versions v0.2021.20 through v0.2021.34, are vulnerable to Insufficient Session Expiration. This may allow an attacker to reuse the admin’s still-valid session token even when logged-out, to gain admin privileges, given the attacker is able to obtain that token (via other, hypothetical attacks) | |||||
| CVE-2021-33982 | 1 Myfwc | 1 Fish \| Hunt Fl | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| An insufficient session expiration vulnerability exists in the "Fish | Hunt FL" iOS app version 3.8.0 and earlier, which allows a remote attacker to reuse, spoof, or steal other user and admin sessions. | |||||
| CVE-2021-29846 | 1 Ibm | 1 Security Guardium Insights | 2024-02-04 | 4.0 MEDIUM | 2.7 LOW |
| IBM Security Guardium Insights 3.0 could allow an authenticated user to obtain sensitive information due to insufficient session expiration. IBM X-Force ID: 205256. | |||||
| CVE-2021-20473 | 1 Ibm | 1 Sterling File Gateway | 2024-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM Sterling File Gateway User Interface 2.2.0.0 through 6.1.1.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 196944. | |||||