Total
316 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-45462 | 1 Apache | 1 Cloudstack | 2024-10-17 | N/A | 7.1 HIGH |
The logout operation in the CloudStack web interface does not expire the user session completely which is valid until expiry by time or restart of the backend service. An attacker that has access to a user's browser can use an unexpired session to gain access to resources owned by the logged out user account. This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1. Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue. | |||||
CVE-2024-48827 | 2024-10-15 | N/A | 8.8 HIGH | ||
An issue in sbondCo Watcharr v.1.43.0 allows a remote attacker to execute arbitrary code and escalate privileges via the Change Password function. | |||||
CVE-2021-39113 | 1 Atlassian | 4 Data Center, Jira, Jira Data Center and 1 more | 2024-10-11 | 5.0 MEDIUM | 7.5 HIGH |
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions are before version 8.13.9, and from version 8.14.0 before 8.18.0. | |||||
CVE-2023-31065 | 1 Apache | 1 Inlong | 2024-10-09 | N/A | 9.1 CRITICAL |
Insufficient Session Expiration vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0. An old session can be used by an attacker even after the user has been deleted or the password has been changed. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7836 https://github.com/apache/inlong/pull/7836 , https://github.com/apache/inlong/pull/7884 https://github.com/apache/inlong/pull/7884 to solve it. | |||||
CVE-2024-23586 | 1 Hcltech | 2 Domino, Hcl Nomad | 2024-10-07 | N/A | 7.5 HIGH |
HCL Nomad is susceptible to an insufficient session expiration vulnerability. Under certain circumstances, an unauthenticated attacker could obtain old session information. | |||||
CVE-2024-8888 | 1 Circutor | 2 Q-smt, Q-smt Firmware | 2024-10-01 | N/A | 7.5 HIGH |
An attacker with access to the network where CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could steal the tokens used on the web, since these have no expiration date to access the web application without restrictions. Token theft can originate from different methods such as network captures, locally stored web information, etc. | |||||
CVE-2022-38382 | 1 Ibm | 2 Cloud Pak For Security, Qradar Suite | 2024-09-21 | N/A | 4.1 MEDIUM |
IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Suite Software 1.10.12.0 through 1.10.23.0 does not invalidate session after logout which could allow another authenticated user to obtain sensitive information. IBM X-Force ID: 233672. | |||||
CVE-2024-38315 | 1 Ibm | 1 Aspera Shares | 2024-09-20 | N/A | 6.5 MEDIUM |
IBM Aspera Shares 1.0 through 1.10.0 PL3 does not invalidate session after a password reset which could allow an authenticated user to impersonate another user on the system. | |||||
CVE-2019-5638 | 1 Rapid7 | 1 Nexpose | 2024-09-16 | 6.8 MEDIUM | 8.7 HIGH |
Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user account's current session is still valid after the password change, potentially allowing the attacker who originally compromised the credential to remain logged in and able to cause further damage. | |||||
CVE-2024-32006 | 2024-09-10 | N/A | 4.3 MEDIUM | ||
A vulnerability has been identified in SINEMA Remote Connect Client (All versions < V3.2 SP2). The affected application does not expire the user session on reboot without logout. This could allow an attacker to bypass Multi-Factor Authentication. | |||||
CVE-2023-51772 | 1 Oneidentity | 1 Password Manager | 2024-09-09 | N/A | 8.8 HIGH |
One Identity Password Manager before 5.13.1 allows Kiosk Escape. This product enables users to reset their Active Directory passwords on the login screen of a Windows client. It launches a Chromium based browser in Kiosk mode to provide the reset functionality. The escape sequence is: wait for a session timeout, click on the Help icon, observe that there is a browser window for the One Identity website, navigate to any website that offers file upload, navigate to cmd.exe from the file explorer window, and launch cmd.exe as NT AUTHORITY\SYSTEM. | |||||
CVE-2024-36523 | 2024-09-06 | N/A | 6.5 MEDIUM | ||
An access control issue in Wvp GB28181 Pro 2.0 allows users to continue to access information in the application after deleting their own or administrator accounts. This is provided that the users do not log out of their deleted accounts. | |||||
CVE-2024-42447 | 1 Apache | 2 Airflow, Apache-airflow-providers-fab | 2024-08-30 | N/A | 9.8 CRITICAL |
Insufficient Session Expiration vulnerability in Apache Airflow Providers FAB. This issue affects Apache Airflow Providers FAB: 1.2.1 (when used with Apache Airflow 2.9.3) and FAB 1.2.0 for all Airflow versions. The FAB provider prevented the user from logging out. * FAB provider 1.2.1 only affected Airflow 2.9.3 (earlier and later versions of Airflow are not affected) * FAB provider 1.2.0 affected all versions of Airflow. Users who run Apache Airflow 2.9.3 are recommended to upgrade to Apache Airflow Providers FAB version 1.2.2 which fixes the issue. Users who run Any Apache Airflow version and have FAB provider 1.2.0 are recommended to upgrade to Apache Airflow Providers FAB version 1.2.2 which fixes the issue. Also upgrading Apache Airflow to latest version available is recommended. Note: Early version of Airflow reference container images of Airflow 2.9.3 and constraint files contained FAB provider 1.2.1 version, but this is fixed in updated versions of the images. Users are advised to pull the latest Airflow images or reinstall FAB provider according to the current constraints. | |||||
CVE-2023-50270 | 2024-08-29 | N/A | 6.5 MEDIUM | ||
Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change. Users are recommended to upgrade to version 3.2.1, which fixes this issue. | |||||
CVE-2022-45862 | 1 Fortinet | 4 Fortios, Fortipam, Fortiproxy and 1 more | 2024-08-22 | N/A | 8.8 HIGH |
An insufficient session expiration vulnerability [CWE-613] vulnerability in FortiOS 7.2.5 and below, 7.0 all versions, 6.4 all versions; FortiProxy 7.2 all versions, 7.0 all versions; FortiPAM 1.3 all versions, 1.2 all versions, 1.1 all versions, 1.0 all versions; FortiSwitchManager 7.2.1 and below, 7.0 all versions GUI may allow attackers to re-use websessions after GUI logout, should they manage to acquire the required credentials. | |||||
CVE-2024-39809 | 1 F5 | 1 Big-ip Next Central Manager | 2024-08-19 | N/A | 8.8 HIGH |
The Central Manager user session refresh token does not expire when a user logs out. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | |||||
CVE-2024-22543 | 2024-08-16 | N/A | 6.1 MEDIUM | ||
An issue was discovered in Linksys Router E1700 1.0.04 (build 3), allows authenticated attackers to escalate privileges via a crafted GET request to the /goform/* URI or via the ExportSettings function. | |||||
CVE-2024-27782 | 1 Fortinet | 1 Fortiaiops | 2024-08-16 | N/A | 9.8 CRITICAL |
Multiple insufficient session expiration vulnerabilities [CWE-613] in FortiAIOps version 2.0.0 may allow an attacker to re-use stolen old session tokens to perform unauthorized operations via crafted requests. | |||||
CVE-2024-27455 | 2024-08-14 | N/A | 9.1 CRITICAL | ||
In the Bentley ALIM Web application, certain configuration settings can cause exposure of a user's ALIM session token when the user attempts to download files. This is fixed in Assetwise ALIM Web 23.00.04.04 and Assetwise Information Integrity Server 23.00.02.03. | |||||
CVE-2023-26288 | 1 Ibm | 1 Aspera Orchestrator | 2024-08-13 | N/A | 5.5 MEDIUM |
IBM Aspera Orchestrator 4.0.1 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 248477. |