Total
325 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-29070 | 2024-11-21 | N/A | 9.1 CRITICAL | ||
| On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns "Authorization" as the front-end authentication credential. "Authorization" can still initiate requests and access data even after logout. Mitigation: all users should upgrade to 2.1.4 | |||||
| CVE-2024-27782 | 1 Fortinet | 1 Fortiaiops | 2024-11-21 | N/A | 8.1 HIGH |
| Multiple insufficient session expiration vulnerabilities [CWE-613] in FortiAIOps version 2.0.0 may allow an attacker to re-use stolen old session tokens to perform unauthorized operations via crafted requests. | |||||
| CVE-2024-27455 | 2024-11-21 | N/A | 9.1 CRITICAL | ||
| In the Bentley ALIM Web application, certain configuration settings can cause exposure of a user's ALIM session token when the user attempts to download files. This is fixed in Assetwise ALIM Web 23.00.04.04 and Assetwise Information Integrity Server 23.00.02.03. | |||||
| CVE-2024-25954 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
| Dell PowerScale OneFS, versions 9.5.0.x through 9.7.0.x, contain an insufficient session expiration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service. | |||||
| CVE-2024-25718 | 1 Dropbox | 1 Samly | 2024-11-21 | N/A | 9.8 CRITICAL |
| In the Samly package before 1.4.0 for Elixir, Samly.State.Store.get_assertion/3 can return an expired session, which interferes with access control because Samly.AuthHandler uses a cached session and does not replace it, even after expiry. | |||||
| CVE-2024-25628 | 2024-11-21 | N/A | 7.6 HIGH | ||
| Alf.io is a free and open source event attendance management system. In versions prior to 2.0-M4-2402 users can access the admin area even after being invalidated/deleted. This issue has been addressed in version 2.0-M4-2402. All users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-25619 | 2024-11-21 | N/A | 3.1 LOW | ||
| Mastodon is a free, open-source social network server based on ActivityPub. When an OAuth Application is destroyed, the streaming server wasn't being informed that the Access Tokens had also been destroyed, this could have posed security risks to users by allowing an application to continue listening to streaming after the application had been destroyed. Essentially this comes down to the fact that when Doorkeeper sets up the relationship between Applications and Access Tokens, it uses a `dependent: delete_all` configuration, which means the `after_commit` callback setup on `AccessTokenExtension` didn't actually fire, since `delete_all` doesn't trigger ActiveRecord callbacks. To mitigate, we need to add a `before_destroy` callback to `ApplicationExtension` which announces to streaming that all the Application's Access Tokens are being "killed". Impact should be negligible given the affected application had to be owned by the user. None the less this issue has been addressed in versions 4.2.6, 4.1.14, 4.0.14, and 3.5.18. Users are advised to upgrade. There are no known workaround for this vulnerability. | |||||
| CVE-2024-22543 | 2024-11-21 | N/A | 6.1 MEDIUM | ||
| An issue was discovered in Linksys Router E1700 1.0.04 (build 3), allows authenticated attackers to escalate privileges via a crafted GET request to the /goform/* URI or via the ExportSettings function. | |||||
| CVE-2024-22403 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | N/A | 3.0 LOW |
| Nextcloud server is a self hosted personal cloud system. In affected versions OAuth codes did not expire. When an attacker would get access to an authorization code they could authenticate at any time using the code. As of version 28.0.0 OAuth codes are invalidated after 10 minutes and will no longer be authenticated. To exploit this vulnerability an attacker would need to intercept an OAuth code from a user session. It is recommended that the Nextcloud Server is upgraded to 28.0.0. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-22358 | 2024-11-21 | N/A | 6.3 MEDIUM | ||
| IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.20, 7.1 through 7.1.2.16, 7.2 through 7.2.3.9, 7.3 through 7.3.2.4 and IBM DevOps Deploy 8.0 through 8.0.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 280896. | |||||
| CVE-2024-21722 | 2024-11-21 | N/A | 6.3 MEDIUM | ||
| The MFA management features did not properly terminate existing user sessions when a user's MFA methods have been modified. | |||||
| CVE-2024-1623 | 2024-11-21 | N/A | 7.7 HIGH | ||
| Insufficient session timeout vulnerability in the FAST3686 V2 Vodafone router from Sagemcom. This vulnerability could allow a local attacker to access the administration panel without requiring login credentials. This vulnerability is possible because the 'Login.asp and logout.asp' files do not handle session details correctly. | |||||
| CVE-2024-0944 | 1 Totolink | 2 T8, T8 Firmware | 2024-11-21 | 2.6 LOW | 3.7 LOW |
| A vulnerability was found in Totolink T8 4.1.5cu.833_20220905. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /cgi-bin/cstecgi.cgi. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252188. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-0943 | 1 Totolink | 2 N350rt, N350rt Firmware | 2024-11-21 | 2.6 LOW | 3.7 LOW |
| A vulnerability was found in Totolink N350RT 9.3.5u.6255. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /cgi-bin/cstecgi.cgi. The manipulation leads to session expiration. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252187. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-0942 | 1 Totolink | 2 N200re-v5, N200re-v5 Firmware | 2024-11-21 | 2.6 LOW | 3.7 LOW |
| A vulnerability was found in Totolink N200RE V5 9.3.5u.6255_B20211224. It has been classified as problematic. Affected is an unknown function of the file /cgi-bin/cstecgi.cgi. The manipulation leads to session expiration. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. VDB-252186 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-0350 | 1 Engineers Online Portal Project | 1 Engineers Online Portal | 2024-11-21 | 2.1 LOW | 3.1 LOW |
| A vulnerability was found in SourceCodester Engineers Online Portal 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. VDB-250118 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-0260 | 1 Engineers Online Portal Project | 1 Engineers Online Portal | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability, which was classified as problematic, was found in SourceCodester Engineers Online Portal 1.0. Affected is an unknown function of the file change_password_teacher.php of the component Password Change. The manipulation leads to session expiration. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249816. | |||||
| CVE-2023-5889 | 1 Pkp | 1 Pkp Web Application Library | 2024-11-21 | N/A | 8.2 HIGH |
| Insufficient Session Expiration in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||||
| CVE-2023-5865 | 1 Phpmyfaq | 1 Phpmyfaq | 2024-11-21 | N/A | 9.8 CRITICAL |
| Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2. | |||||
| CVE-2023-5838 | 1 Linkstack | 1 Linkstack | 2024-11-21 | N/A | 9.8 CRITICAL |
| Insufficient Session Expiration in GitHub repository linkstackorg/linkstack prior to v4.2.9. | |||||