Total
316 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-15220 | 1 Combodo | 1 Itop | 2024-02-28 | 5.8 MEDIUM | 6.1 MEDIUM |
| Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, two cookies are created for the same session, which leads to a possibility to steal user session. This is fixed in versions 2.7.2 and 3.0.0. | |||||
| CVE-2020-1666 | 1 Juniper | 1 Junos Os Evolved | 2024-02-28 | 7.2 HIGH | 6.6 MEDIUM |
| The system console configuration option 'log-out-on-disconnect' In Juniper Networks Junos OS Evolved fails to log out an active CLI session when the console cable is disconnected. This could allow a malicious attacker with physical access to the console the ability to resume a previous interactive session and possibly gain administrative privileges. This issue affects all Juniper Networks Junos OS Evolved versions after 18.4R1-EVO, prior to 20.2R1-EVO. | |||||
| CVE-2020-29667 | 1 Lanatmservice | 1 M3 Atm Monitoring System | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
| In Lan ATMService M3 ATM Monitoring System 6.1.0, a remote attacker able to use a default cookie value, such as PHPSESSID=LANIT-IMANAGER, can achieve control over the system because of Insufficient Session Expiration. | |||||
| CVE-2020-24713 | 1 Getgophish | 1 Gophish | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| Gophish through 0.10.1 does not invalidate the gophish cookie upon logout. | |||||
| CVE-2009-20001 | 1 Mantisbt | 1 Mantisbt | 2024-02-28 | 5.5 MEDIUM | 8.1 HIGH |
| An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login as them. | |||||
| CVE-2020-14247 | 1 Hcltechsw | 1 Onetest Performance | 2024-02-28 | 6.4 MEDIUM | 6.5 MEDIUM |
| HCL OneTest Performance V9.5, V10.0, V10.1 contains an inadequate session timeout, which could allow an attacker time to guess and use a valid session ID. | |||||
| CVE-2020-27422 | 1 Anuko | 1 Time Tracker | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| In Anuko Time Tracker v1.19.23.5311, the password reset link emailed to the user doesn't expire once used, allowing an attacker to use the same link to takeover the account. | |||||
| CVE-2016-20007 | 1 Rest\/json Project | 1 Rest\/json | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| The REST/JSON project 7.x-1.x for Drupal allows session name guessing, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy. | |||||
| CVE-2020-15950 | 1 Immuta | 1 Immuta | 2024-02-28 | 6.8 MEDIUM | 8.8 HIGH |
| Immuta v2.8.2 is affected by improper session management: user sessions are not revoked upon logout. | |||||
| CVE-2020-25374 | 1 Cyberark | 1 Privileged Session Manager | 2024-02-28 | 2.1 LOW | 2.6 LOW |
| CyberArk Privileged Session Manager (PSM) 10.9.0.15 allows attackers to discover internal pathnames by reading an error popup message after two hours of idle time. | |||||
| CVE-2020-6363 | 1 Sap | 1 Commerce Cloud | 2024-02-28 | 4.9 MEDIUM | 4.6 MEDIUM |
| SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, exposes several web applications that maintain sessions with a user. These sessions are established after the user has authenticated with username/passphrase credentials. The user can change their own passphrase, but this does not invalidate active sessions that the user may have with SAP Commerce Cloud web applications, which gives an attacker the opportunity to reuse old session credentials, resulting in Insufficient Session Expiration. | |||||
| CVE-2020-23136 | 1 Microweber | 1 Microweber | 2024-02-28 | 2.1 LOW | 5.5 MEDIUM |
| Microweber v1.1.18 is affected by no session expiry after log-out. | |||||
| CVE-2020-4696 | 1 Ibm | 1 Cloud Pak For Security | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
| IBM Cloud Pak for Security 1.3.0.1(CP4S) does not invalidate session after logout which could allow an authenticated user to obtain sensitive information from the previous session. IBM X-Force ID: 186789. | |||||
| CVE-2020-6649 | 1 Fortinet | 1 Fortiisolator | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| An insufficient session expiration vulnerability in FortiNet's FortiIsolator version 2.0.1 and below may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID (via other, hypothetical attacks) | |||||
| CVE-2020-27739 | 1 Citadel | 1 Webcit | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| A Weak Session Management vulnerability in Citadel WebCit through 926 allows unauthenticated remote attackers to hijack recently logged-in users' sessions. NOTE: this was reported to the vendor in a publicly archived "Multiple Security Vulnerabilities in WebCit 926" thread. | |||||
| CVE-2020-17473 | 1 Zkteco | 3 Facedepot 7b, Facedepot 7b Firmware, Zkbiosecurity Server | 2024-02-28 | 4.3 MEDIUM | 5.9 MEDIUM |
| Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server. | |||||
| CVE-2020-9482 | 1 Apache | 1 Nifi Registry | 2024-02-28 | 6.4 MEDIUM | 6.5 MEDIUM |
| If NiFi Registry 0.1.0 to 0.5.0 uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi Registry invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi Registry. | |||||
| CVE-2020-1762 | 2 Kiali, Redhat | 2 Kiali, Openshift Service Mesh | 2024-02-28 | 7.5 HIGH | 8.6 HIGH |
| An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration. | |||||
| CVE-2020-12690 | 1 Openstack | 1 Keystone | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access. | |||||
| CVE-2020-6644 | 1 Fortinet | 1 Fortideceptor | 2024-02-28 | 6.8 MEDIUM | 8.1 HIGH |
| An insufficient session expiration vulnerability in FortiDeceptor 3.0.0 and below allows an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID via other, hypothetical attacks. | |||||