Total
292 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-39113 | 1 Atlassian | 4 Data Center, Jira, Jira Data Center and 1 more | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions are before version 8.13.9, and from version 8.14.0 before 8.18.0. | |||||
| CVE-2020-29012 | 1 Fortinet | 1 Fortisandbox | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| An insufficient session expiration vulnerability in FortiSandbox versions 3.2.1 and below may allow an attacker to reuse the unexpired admin user session IDs to gain information about other users configured on the device, should the attacker be able to obtain that session ID (via other, hypothetical attacks) | |||||
| CVE-2020-10709 | 1 Redhat | 1 Ansible Tower | 2024-02-04 | 3.6 LOW | 7.1 HIGH |
| A security flaw was found in Ansible Tower when requesting an OAuth2 token with an OAuth2 application. Ansible Tower uses the token to provide authentication. This flaw allows an attacker to obtain a refresh token that does not expire. The original token granted to the user still has access to Ansible Tower, which allows any user that can gain access to the token to be fully authenticated to Ansible Tower. This flaw affects Ansible Tower versions before 3.6.4 and Ansible Tower versions before 3.5.6. | |||||
| CVE-2021-26037 | 1 Joomla | 1 Joomla\! | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Joomla! 2.5.0 through 3.9.27. CMS functions did not properly termine existing user sessions when a user's password was changed or the user was blocked. | |||||
| CVE-2021-22221 | 1 Gitlab | 1 Gitlab | 2024-02-04 | 6.4 MEDIUM | 6.5 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 12.9.0 before 13.10.5, all versions starting from 13.11.0 before 13.11.5, all versions starting from 13.12.0 before 13.12.2. Insufficient expired password validation in various operations allow user to maintain limited access after their password expired | |||||
| CVE-2021-22136 | 1 Elastic | 1 Kibana | 2024-02-04 | 3.6 LOW | 3.5 LOW |
| In Kibana versions before 7.12.0 and 6.8.15 a flaw in the session timeout was discovered where the xpack.security.session.idleTimeout setting is not being respected. This was caused by background polling activities unintentionally extending authenticated users sessions, preventing a user session from timing out. | |||||
| CVE-2021-20378 | 1 Ibm | 1 Guardium Data Encryption | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| IBM Guardium Data Encryption (GDE) 3.0.0.2 and 4.0.0.4 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 195709. | |||||
| CVE-2021-35342 | 1 Northern.tech | 2 Mender, Useradm | 2024-02-04 | 4.3 MEDIUM | 7.5 HIGH |
| The useradm service 1.14.0 (in Northern.tech Mender Enterprise 2.7.x before 2.7.1) and 1.13.0 (in Northern.tech Mender Enterprise 2.6.x before 2.6.1) allows users to access the system with their JWT token after logout, because of missing invalidation (if the JWT verification cache is enabled). | |||||
| CVE-2021-37156 | 1 Redmine | 1 Redmine | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| Redmine 4.2.0 and 4.2.1 allow existing user sessions to continue upon enabling two-factor authentication for the user's account, but the intended behavior is for those sessions to be terminated. | |||||
| CVE-2021-20431 | 3 Ibm, Linux, Microsoft | 3 I2 Analysts Notebook, Linux Kernel, Windows | 2024-02-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| IBM i2 Analyst's Notebook Premium 9.2.0, 9.2.1, and 9.2.2 does not invalidate session after logout which could allow an an attacker to obtain sensitive information from the system. IBM X-Force ID: 196342. | |||||
| CVE-2021-31408 | 1 Vaadin | 2 Flow, Vaadin | 2024-02-04 | 3.3 LOW | 7.1 HIGH |
| Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out. | |||||
| CVE-2021-37693 | 1 Discourse | 1 Discourse | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta4, when adding additional email addresses to an existing account on a Discourse site an email token is generated as part of the email verification process. Deleting the additional email address does not invalidate an unused token which can then be used in other contexts, including reseting a password. | |||||
| CVE-2021-30943 | 1 Apple | 4 Ipad Os, Iphone Os, Macos and 1 more | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue in the handling of group membership was resolved with improved logic. This issue is fixed in iOS 15.2 and iPadOS 15.2, watchOS 8.3, macOS Monterey 12.1. A malicious user may be able to leave a messages group but continue to receive messages in that group. | |||||
| CVE-2021-34428 | 4 Debian, Eclipse, Netapp and 1 more | 16 Debian Linux, Jetty, Active Iq Unified Manager and 13 more | 2024-02-04 | 3.6 LOW | 3.5 LOW |
| For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in. | |||||
| CVE-2021-33322 | 1 Liferay | 2 Dxp, Liferay Portal | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user’s password via the old password reset token. | |||||
| CVE-2021-3183 | 1 Files | 1 Fat Client | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| Files.com Fat Client 3.3.6 allows authentication bypass because the client continues to have access after a logout and a removal of a login profile. | |||||
| CVE-2020-1666 | 1 Juniper | 1 Junos Os Evolved | 2024-02-04 | 7.2 HIGH | 6.6 MEDIUM |
| The system console configuration option 'log-out-on-disconnect' In Juniper Networks Junos OS Evolved fails to log out an active CLI session when the console cable is disconnected. This could allow a malicious attacker with physical access to the console the ability to resume a previous interactive session and possibly gain administrative privileges. This issue affects all Juniper Networks Junos OS Evolved versions after 18.4R1-EVO, prior to 20.2R1-EVO. | |||||
| CVE-2021-27351 | 1 Telegram | 1 Telegram | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Terminate Session feature in the Telegram application through 7.2.1 for Android, and through 2.4.7 for Windows and UNIX, fails to invalidate a recently active session. | |||||
| CVE-2020-6649 | 1 Fortinet | 1 Fortiisolator | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| An insufficient session expiration vulnerability in FortiNet's FortiIsolator version 2.0.1 and below may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID (via other, hypothetical attacks) | |||||
| CVE-2020-23140 | 1 Microweber | 1 Microweber | 2024-02-04 | 5.8 MEDIUM | 8.1 HIGH |
| Microweber 1.1.18 is affected by insufficient session expiration. When changing passwords, both sessions for when a user changes email and old sessions in any other browser or device, the session does not expire and remains active. | |||||