Total
316 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2018-1195 | 1 Cloudfoundry | 3 Capi-release, Cf-deployment, Cf-release | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
In Cloud Controller versions prior to 1.46.0, cf-deployment versions prior to 1.3.0, and cf-release versions prior to 283, Cloud Controller accepts refresh tokens for authentication where access tokens are expected. This exposes a vulnerability where a refresh token that would otherwise be insufficient to obtain an access token, either due to lack of client credentials or revocation, would allow authentication. | |||||
CVE-2018-11386 | 2 Debian, Sensiolabs | 2 Debian Linux, Symfony | 2024-02-28 | 4.3 MEDIUM | 5.9 MEDIUM |
An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources. | |||||
CVE-2017-12867 | 1 Simplesamlphp | 1 Simplesamlphp | 2024-02-28 | 4.3 MEDIUM | 5.9 MEDIUM |
The SimpleSAML_Auth_TimeLimitedToken class in SimpleSAMLphp 1.14.14 and earlier allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset. | |||||
CVE-2017-11667 | 1 Openproject | 1 Openproject | 2024-02-28 | 6.8 MEDIUM | 8.1 HIGH |
OpenProject before 6.1.6 and 7.x before 7.0.3 mishandles session expiry, which allows remote attackers to perform APIv3 requests indefinitely by leveraging a hijacked session. | |||||
CVE-2017-1000135 | 1 Mahara | 1 Mahara | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable as logged-in users can stay logged in after the institution they belong to is suspended. | |||||
CVE-2017-3215 | 1 Milwaukee | 1 One-key | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
The Milwaukee ONE-KEY Android mobile application uses bearer tokens with an expiration of one year. This bearer token, in combination with a user_id can be used to perform user actions. | |||||
CVE-2015-5171 | 2 Cloudfoundry, Pivotal Software | 3 Cf-release, Cloud Foundry Elastic Runtime, Cloud Foundry Uaa | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
The password change functionality in Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire existing sessions. | |||||
CVE-2017-6145 | 1 F5 | 10 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 7 more | 2024-02-28 | 7.5 HIGH | 7.3 HIGH |
iControl REST in F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, PEM, and WebSafe 12.0.0 through 12.1.2 and 13.0.0 includes a service to convert authorization BIGIPAuthCookie cookies to X-F5-Auth-Token tokens. This service does not properly re-validate cookies when making that conversion, allowing once-valid but now expired cookies to be converted to valid tokens. | |||||
CVE-2017-14007 | 1 Prominent | 2 Multiflex M10a Controller, Multiflex M10a Controller Firmware | 2024-02-28 | 6.8 MEDIUM | 5.6 MEDIUM |
An Insufficient Session Expiration issue was discovered in ProMinent MultiFLEX M10a Controller web interface. The user's session is available for an extended period beyond the last activity, allowing an attacker to reuse an old session for authorization. | |||||
CVE-2017-1000136 | 1 Mahara | 1 Mahara | 2024-02-28 | 4.3 MEDIUM | 6.5 MEDIUM |
Mahara 1.8 before 1.8.6 and 1.9 before 1.9.4 and 1.10 before 1.10.1 and 15.04 before 15.04.0 are vulnerable to old sessions not being invalidated after a password change. | |||||
CVE-2017-1000131 | 1 Mahara | 1 Mahara | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before 16.04.2 are vulnerable to users staying logged in to their Mahara account even when they have been logged out of Moodle (when using MNet) as Mahara did not properly implement one of the MNet SSO API functions. | |||||
CVE-2017-12159 | 2 Keycloak, Redhat | 3 Keycloak, Enterprise Linux Server, Single Sign On | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks. | |||||
CVE-2017-6529 | 1 Dnatools | 1 Dnalims | 2024-02-28 | 6.8 MEDIUM | 8.8 HIGH |
An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is vulnerable to session hijacking by guessing the UID parameter. | |||||
CVE-2016-8712 | 1 Moxa | 2 Awk-3131a, Awk-3131a Firmware | 2024-02-28 | 4.3 MEDIUM | 8.1 HIGH |
An exploitable nonce reuse vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless AP running firmware 1.1. The device uses one nonce for all session authentication requests and only changes the nonce if the web application has been idle for 300 seconds. | |||||
CVE-2016-5069 | 1 Sierrawireless | 2 Aleos Firmware, Gx 440 | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 use guessable session tokens, which are in the URL. | |||||
CVE-2014-3616 | 2 Debian, F5 | 2 Debian Linux, Nginx | 2024-02-28 | 4.3 MEDIUM | N/A |
nginx 0.5.6 through 1.7.4, when using the same shared ssl_session_cache or ssl_session_ticket_key for multiple servers, can reuse a cached SSL session for an unrelated context, which allows remote attackers with certain privileges to conduct "virtual host confusion" attacks. |