Total
324 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-25992 | 1 If-me | 1 Ifme | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In Ifme, versions 1.0.0 to v.7.33.2 don’t properly invalidate a user’s session even after the user initiated logout. It makes it possible for an attacker to reuse the admin cookies either via local/network access or by other hypothetical attacks. | |||||
| CVE-2021-25985 | 1 Darwin | 1 Factor | 2024-11-21 | 7.5 HIGH | 7.8 HIGH |
| In Factor (App Framework & Headless CMS) v1.0.4 to v1.8.30, improperly invalidate a user’s session even after the user logs out of the application. In addition, user sessions are stored in the browser’s local storage, which by default does not have an expiration time. This makes it possible for an attacker to steal and reuse the cookies using techniques such as XSS attacks, followed by a local account takeover. | |||||
| CVE-2021-25981 | 1 Talkyard | 1 Talkyard | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| In Talkyard, regular versions v0.2021.20 through v0.2021.33 and dev versions v0.2021.20 through v0.2021.34, are vulnerable to Insufficient Session Expiration. This may allow an attacker to reuse the admin’s still-valid session token even when logged-out, to gain admin privileges, given the attacker is able to obtain that token (via other, hypothetical attacks) | |||||
| CVE-2021-25979 | 1 Apostrophecms | 1 Apostrophecms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Apostrophe CMS versions prior to 3.3.1 did not invalidate existing login sessions when disabling a user account or changing the password, creating a situation in which a device compromised by a third party could not be locked out by those means. As a mitigation for older releases the user account in question can be archived (3.x) or moved to the trash (2.x and earlier) which does disable the existing session. | |||||
| CVE-2021-25970 | 1 Tuzitio | 1 Camaleon Cms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Camaleon CMS 0.1.7 to 2.6.0 doesn’t terminate the active session of the users, even after the admin changes the user’s password. A user that was already logged in, will still have access to the application even after the password was changed. | |||||
| CVE-2021-25966 | 1 Orchardcore | 1 Orchard Core | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| In “Orchard core CMS” application, versions 1.0.0-beta1-3383 to 1.0.0 are vulnerable to an improper session termination after password change. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed. | |||||
| CVE-2021-25940 | 1 Arangodb | 1 Arangodb | 2024-11-21 | 6.0 MEDIUM | 8.8 HIGH |
| In ArangoDB, versions v3.7.6 through v3.8.3 are vulnerable to Insufficient Session Expiration. When a user’s password is changed by the administrator, the session isn’t invalidated, allowing a malicious user to still be logged in and perform arbitrary actions within the system. | |||||
| CVE-2021-24019 | 1 Fortinet | 1 Forticlient Endpoint Management Server | 2024-11-21 | 7.5 HIGH | 8.1 HIGH |
| An insufficient session expiration vulnerability [CWE- 613] in FortiClientEMS versions 6.4.2 and below, 6.2.8 and below may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID (via other, hypothetical attacks) | |||||
| CVE-2021-22820 | 1 Schneider-electric | 12 Evlink City Evc1s22p4, Evlink City Evc1s22p4 Firmware, Evlink City Evc1s7p4 and 9 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A CWE-614 Insufficient Session Expiration vulnerability exists that could allow an attacker to maintain an unauthorized access over a hijacked session to the charger station web server even after the legitimate user account holder has changed his password. Affected Products: EVlink City EVC1S22P4 / EVC1S7P4 (All versions prior to R8 V3.4.0.2 ), EVlink Parking EVW2 / EVF2 / EVP2PE (All versions prior to R8 V3.4.0.2), and EVlink Smart Wallbox EVB1A (All versions prior to R8 V3.4.0.2) | |||||
| CVE-2021-22221 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 12.9.0 before 13.10.5, all versions starting from 13.11.0 before 13.11.5, all versions starting from 13.12.0 before 13.12.2. Insufficient expired password validation in various operations allow user to maintain limited access after their password expired | |||||
| CVE-2021-22136 | 1 Elastic | 1 Kibana | 2024-11-21 | 3.6 LOW | 3.5 LOW |
| In Kibana versions before 7.12.0 and 6.8.15 a flaw in the session timeout was discovered where the xpack.security.session.idleTimeout setting is not being respected. This was caused by background polling activities unintentionally extending authenticated users sessions, preventing a user session from timing out. | |||||
| CVE-2021-21032 | 1 Magento | 1 Magento | 2024-11-21 | 7.5 HIGH | 5.6 MEDIUM |
| Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation of this issue could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation. | |||||
| CVE-2021-21031 | 1 Magento | 1 Magento | 2024-11-21 | 7.5 HIGH | 5.6 MEDIUM |
| Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation. | |||||
| CVE-2021-20581 | 3 Apple, Ibm, Microsoft | 3 Macos, Security Verify Privilege On-premises, Windows | 2024-11-21 | N/A | 5.3 MEDIUM |
| IBM Security Verify Privilege On-Premises 11.5 could allow a user to obtain sensitive information due to insufficient session expiration. IBM X-Force ID: 199324. | |||||
| CVE-2021-20473 | 1 Ibm | 1 Sterling File Gateway | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM Sterling File Gateway User Interface 2.2.0.0 through 6.1.1.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 196944. | |||||
| CVE-2021-20431 | 3 Ibm, Linux, Microsoft | 3 I2 Analysts Notebook, Linux Kernel, Windows | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| IBM i2 Analyst's Notebook Premium 9.2.0, 9.2.1, and 9.2.2 does not invalidate session after logout which could allow an an attacker to obtain sensitive information from the system. IBM X-Force ID: 196342. | |||||
| CVE-2021-20378 | 1 Ibm | 1 Guardium Data Encryption | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| IBM Guardium Data Encryption (GDE) 3.0.0.2 and 4.0.0.4 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 195709. | |||||
| CVE-2020-9482 | 1 Apache | 1 Nifi Registry | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
| If NiFi Registry 0.1.0 to 0.5.0 uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi Registry invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi Registry. | |||||
| CVE-2020-8867 | 1 Opcfoundation | 1 Unified Architecture .net-standard | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of OPC Foundation UA .NET Standard 1.04.358.30. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of sessions. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to create a denial-of-service condition against the application. Was ZDI-CAN-10295. | |||||
| CVE-2020-8234 | 1 Ui | 12 Edgemax Firmware, Ep-s16, Es-12f and 9 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| A vulnerability exists in The EdgeMax EdgeSwitch firmware <v1.9.1 where the EdgeSwitch legacy web interface SIDSSL cookie for admin can be guessed, enabling the attacker to obtain high privileges and get a root shell by a Command injection. | |||||