Total
324 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-6649 | 1 Fortinet | 1 Fortiisolator | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An insufficient session expiration vulnerability in FortiNet's FortiIsolator version 2.0.1 and below may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID (via other, hypothetical attacks) | |||||
| CVE-2020-6644 | 1 Fortinet | 1 Fortideceptor | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| An insufficient session expiration vulnerability in FortiDeceptor 3.0.0 and below allows an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID via other, hypothetical attacks. | |||||
| CVE-2020-6363 | 1 Sap | 1 Commerce Cloud | 2024-11-21 | 4.9 MEDIUM | 4.6 MEDIUM |
| SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, exposes several web applications that maintain sessions with a user. These sessions are established after the user has authenticated with username/passphrase credentials. The user can change their own passphrase, but this does not invalidate active sessions that the user may have with SAP Commerce Cloud web applications, which gives an attacker the opportunity to reuse old session credentials, resulting in Insufficient Session Expiration. | |||||
| CVE-2020-6292 | 1 Sap | 1 Disclosure Management | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Logout mechanism in SAP Disclosure Management, version 10.1, does not invalidate one of the session cookies, leading to Insufficient Session Expiration. | |||||
| CVE-2020-6291 | 1 Sap | 1 Disclosure Management | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| SAP Disclosure Management, version 10.1, session mechanism does not have expiration data set therefore allows unlimited access after authenticating once, leading to Insufficient Session Expiration | |||||
| CVE-2020-6197 | 1 Sap | 1 Enable Now | 2024-11-21 | 2.1 LOW | 3.3 LOW |
| SAP Enable Now, before version 1908, does not invalidate session tokens in a timely manner. The Insufficient Session Expiration may allow attackers with local access, for instance, to still download the portables. | |||||
| CVE-2020-5774 | 1 Tenable | 1 Nessus | 2024-11-21 | 3.6 LOW | 7.1 HIGH |
| Nessus versions 8.11.0 and earlier were found to maintain sessions longer than the permitted period in certain scenarios. The lack of proper session expiration could allow attackers with local access to login into an existing browser session. | |||||
| CVE-2020-4995 | 1 Ibm | 1 Security Identity Governance And Intelligence | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| IBM Security Identity Governance and Intelligence 5.2.6 does not invalidate session after logout which could allow a user to obtain sensitive information from another users' session. IBM X-Force ID: 192912. | |||||
| CVE-2020-4914 | 1 Ibm | 1 Cloud Pak System | 2024-11-21 | N/A | 4.2 MEDIUM |
| IBM Cloud Pak System Suite 2.3.3.0 through 2.3.3.5 does not invalidate session after logout which could allow a local user to impersonate another user on the system. IBM X-Force ID: 191290. | |||||
| CVE-2020-4780 | 1 Ibm | 1 Curam Social Program Management | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| OOTB build scripts does not set the secure attribute on session cookie which may impact IBM Curam Social Program Management 7.0.9 and 7.0,10. The purpose of the 'secure' attribute is to prevent cookies from being observed by unauthorized parties. IBM X-Force ID: 189158. | |||||
| CVE-2020-4696 | 1 Ibm | 1 Cloud Pak For Security | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| IBM Cloud Pak for Security 1.3.0.1(CP4S) does not invalidate session after logout which could allow an authenticated user to obtain sensitive information from the previous session. IBM X-Force ID: 186789. | |||||
| CVE-2020-4395 | 1 Ibm | 1 Security Access Manager Appliance | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| IBM Security Access Manager Appliance 9.0.7 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 179358. | |||||
| CVE-2020-4284 | 1 Ibm | 1 Security Information Queue | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could disclose sensitive information to an unauthorized user due to insufficient timeout functionality in the Web UI. IBM X-Force ID: 176207. | |||||
| CVE-2020-4253 | 1 Ibm | 1 Content Navigator | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| IBM Content Navigator 3.0CD does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 175559. | |||||
| CVE-2020-3188 | 1 Cisco | 25 Asa 5505, Asa 5505 Firmware, Asa 5510 and 22 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability in how Cisco Firepower Threat Defense (FTD) Software handles session timeouts for management connections could allow an unauthenticated, remote attacker to cause a buildup of remote management connections to an affected device, which could result in a denial of service (DoS) condition. The vulnerability exists because the default session timeout period for specific to-the-box remote management connections is too long. An attacker could exploit this vulnerability by sending a large and sustained number of crafted remote management connections to an affected device, resulting in a buildup of those connections over time. A successful exploit could allow the attacker to cause the remote management interface or Cisco Firepower Device Manager (FDM) to stop responding and cause other management functions to go offline, resulting in a DoS condition. The user traffic that is flowing through the device would not be affected, and the DoS condition would be isolated to remote management only. | |||||
| CVE-2020-35358 | 1 Domainmod | 1 Domainmod | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| DomainMOD domainmod-v4.15.0 is affected by an insufficient session expiration vulnerability. On changing a password, both sessions using the changed password and old sessions in any other browser or device do not expire and remain active. Such flaws frequently give attackers unauthorized access to some system data or functionality. | |||||
| CVE-2020-29667 | 1 Lanatmservice | 1 M3 Atm Monitoring System | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| In Lan ATMService M3 ATM Monitoring System 6.1.0, a remote attacker able to use a default cookie value, such as PHPSESSID=LANIT-IMANAGER, can achieve control over the system because of Insufficient Session Expiration. | |||||
| CVE-2020-29012 | 1 Fortinet | 1 Fortisandbox | 2024-11-21 | 5.0 MEDIUM | 5.6 MEDIUM |
| An insufficient session expiration vulnerability in FortiSandbox versions 3.2.1 and below may allow an attacker to reuse the unexpired admin user session IDs to gain information about other users configured on the device, should the attacker be able to obtain that session ID (via other, hypothetical attacks) | |||||
| CVE-2020-27739 | 1 Citadel | 1 Webcit | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A Weak Session Management vulnerability in Citadel WebCit through 926 allows unauthenticated remote attackers to hijack recently logged-in users' sessions. NOTE: this was reported to the vendor in a publicly archived "Multiple Security Vulnerabilities in WebCit 926" thread. | |||||
| CVE-2020-27422 | 1 Anuko | 1 Time Tracker | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In Anuko Time Tracker v1.19.23.5311, the password reset link emailed to the user doesn't expire once used, allowing an attacker to use the same link to takeover the account. | |||||