Total
316 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-35034 | 1 Zyxel | 2 Nbg6604, Nbg6604 Firmware | 2024-02-28 | 6.4 MEDIUM | 9.1 CRITICAL |
An insufficient session expiration vulnerability in the CGI program of the Zyxel NBG6604 firmware could allow a remote attacker to access the device if the correct token can be intercepted. | |||||
CVE-2022-21652 | 1 Shopware | 1 Shopware | 2024-02-28 | 5.5 MEDIUM | 8.1 HIGH |
Shopware is an open source e-commerce software platform. In affected versions shopware would not invalidate a user session in the event of a password change. With version 5.7.7 the session validation was adjusted, so that sessions created prior to the latest password change of a customer account can't be used to login with said account. This also means, that upon a password change, all existing sessions for a given customer account are automatically considered invalid. There is no workaround for this issue. | |||||
CVE-2021-41100 | 1 Wire | 1 Wire-server | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Wire-server is the backing server for the open source wire secure messaging application. In affected versions it is possible to trigger email address change of a user with only the short-lived session token in the `Authorization` header. As the short-lived token is only meant as means of authentication by the client for less critical requests to the backend, the ability to change the email address with a short-lived token constitutes a privilege escalation attack. Since the attacker can change the password after setting the email address to one that they control, changing the email address can result in an account takeover by the attacker. Short-lived tokens can be requested from the backend by Wire clients using the long lived tokens, after which the long lived tokens can be stored securely, for example on the devices key chain. The short lived tokens can then be used to authenticate the client towards the backend for frequently performed actions such as sending and receiving messages. While short-lived tokens should not be available to an attacker per-se, they are used more often and in the shape of an HTTP header, increasing the risk of exposure to an attacker relative to the long-lived tokens, which are stored and transmitted in cookies. If you are running an on-prem instance and provision all users with SCIM, you are not affected by this issue (changing email is blocked for SCIM users). SAML single-sign-on is unaffected by this issue, and behaves identically before and after this update. The reason is that the email address used as SAML NameID is stored in a different location in the databse from the one used to contact the user outside wire. Version 2021-08-16 and later provide a new end-point that requires both the long-lived client cookie and `Authorization` header. The old end-point has been removed. If you are running an on-prem instance with at least some of the users invited or provisioned via SAML SSO and you cannot update then you can block `/self/email` on nginz (or in any other proxies or firewalls you may have set up). You don't need to discriminate by verb: `/self/email` only accepts `PUT` and `DELETE`, and `DELETE` is almost never used. | |||||
CVE-2021-25985 | 1 Darwin | 1 Factor | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
In Factor (App Framework & Headless CMS) v1.0.4 to v1.8.30, improperly invalidate a user’s session even after the user logs out of the application. In addition, user sessions are stored in the browser’s local storage, which by default does not have an expiration time. This makes it possible for an attacker to steal and reuse the cookies using techniques such as XSS attacks, followed by a local account takeover. | |||||
CVE-2021-42545 | 1 Business-dnasolutions | 1 Topease | 2024-02-28 | 6.4 MEDIUM | 9.1 CRITICAL |
An insufficient session expiration vulnerability exists in Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27, which allows a remote attacker to reuse, spoof, or steal other user and admin sessions. | |||||
CVE-2021-25940 | 1 Arangodb | 1 Arangodb | 2024-02-28 | 6.0 MEDIUM | 8.0 HIGH |
In ArangoDB, versions v3.7.6 through v3.8.3 are vulnerable to Insufficient Session Expiration. When a user’s password is changed by the administrator, the session isn’t invalidated, allowing a malicious user to still be logged in and perform arbitrary actions within the system. | |||||
CVE-2021-45885 | 1 Stormshield | 1 Network Security | 2024-02-28 | 4.3 MEDIUM | 7.5 HIGH |
An issue was discovered in Stormshield Network Security (SNS) 4.2.2 through 4.2.7 (fixed in 4.2.8). Under a specific update-migration scenario, the first SSH password change does not properly clear the old password. | |||||
CVE-2021-25979 | 1 Apostrophecms | 1 Apostrophecms | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Apostrophe CMS versions prior to 3.3.1 did not invalidate existing login sessions when disabling a user account or changing the password, creating a situation in which a device compromised by a third party could not be locked out by those means. As a mitigation for older releases the user account in question can be archived (3.x) or moved to the trash (2.x and earlier) which does disable the existing session. | |||||
CVE-2021-33322 | 1 Liferay | 2 Dxp, Liferay Portal | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user’s password via the old password reset token. | |||||
CVE-2021-31408 | 1 Vaadin | 2 Flow, Vaadin | 2024-02-28 | 3.3 LOW | 7.1 HIGH |
Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out. | |||||
CVE-2021-37156 | 1 Redmine | 1 Redmine | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Redmine 4.2.0 and 4.2.1 allow existing user sessions to continue upon enabling two-factor authentication for the user's account, but the intended behavior is for those sessions to be terminated. | |||||
CVE-2021-26037 | 1 Joomla | 1 Joomla\! | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
An issue was discovered in Joomla! 2.5.0 through 3.9.27. CMS functions did not properly termine existing user sessions when a user's password was changed or the user was blocked. | |||||
CVE-2021-35342 | 1 Northern.tech | 2 Mender, Useradm | 2024-02-28 | 4.3 MEDIUM | 7.5 HIGH |
The useradm service 1.14.0 (in Northern.tech Mender Enterprise 2.7.x before 2.7.1) and 1.13.0 (in Northern.tech Mender Enterprise 2.6.x before 2.6.1) allows users to access the system with their JWT token after logout, because of missing invalidation (if the JWT verification cache is enabled). | |||||
CVE-2021-30943 | 1 Apple | 4 Ipados, Iphone Os, Macos and 1 more | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
An issue in the handling of group membership was resolved with improved logic. This issue is fixed in iOS 15.2 and iPadOS 15.2, watchOS 8.3, macOS Monterey 12.1. A malicious user may be able to leave a messages group but continue to receive messages in that group. | |||||
CVE-2021-32923 | 1 Hashicorp | 1 Vault | 2024-02-28 | 5.8 MEDIUM | 7.4 HIGH |
HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2. | |||||
CVE-2021-22136 | 1 Elastic | 1 Kibana | 2024-02-28 | 3.6 LOW | 3.5 LOW |
In Kibana versions before 7.12.0 and 6.8.15 a flaw in the session timeout was discovered where the xpack.security.session.idleTimeout setting is not being respected. This was caused by background polling activities unintentionally extending authenticated users sessions, preventing a user session from timing out. | |||||
CVE-2021-20431 | 3 Ibm, Linux, Microsoft | 3 I2 Analysts Notebook, Linux Kernel, Windows | 2024-02-28 | 4.3 MEDIUM | 6.5 MEDIUM |
IBM i2 Analyst's Notebook Premium 9.2.0, 9.2.1, and 9.2.2 does not invalidate session after logout which could allow an an attacker to obtain sensitive information from the system. IBM X-Force ID: 196342. | |||||
CVE-2021-22221 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 6.4 MEDIUM | 6.5 MEDIUM |
An issue has been discovered in GitLab affecting all versions starting from 12.9.0 before 13.10.5, all versions starting from 13.11.0 before 13.11.5, all versions starting from 13.12.0 before 13.12.2. Insufficient expired password validation in various operations allow user to maintain limited access after their password expired | |||||
CVE-2021-20378 | 1 Ibm | 1 Guardium Data Encryption | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
IBM Guardium Data Encryption (GDE) 3.0.0.2 and 4.0.0.4 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 195709. | |||||
CVE-2020-29012 | 1 Fortinet | 1 Fortisandbox | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
An insufficient session expiration vulnerability in FortiSandbox versions 3.2.1 and below may allow an attacker to reuse the unexpired admin user session IDs to gain information about other users configured on the device, should the attacker be able to obtain that session ID (via other, hypothetical attacks) |