Total
316 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-50936 | 1 Ibm | 1 Powersc | 2024-02-28 | N/A | 8.8 HIGH |
IBM PowerSC 1.3, 2.0, and 2.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 275116. | |||||
CVE-2023-49091 | 2024-02-28 | N/A | 9.8 CRITICAL | ||
Cosmos provides users the ability self-host a home server by acting as a secure gateway to your application, as well as a server manager. Cosmos-server is vulnerable due to to the authorization header used for user login remaining valid and not expiring after log out. This vulnerability allows an attacker to use the token to gain unauthorized access to the application/system even after the user has logged out. This issue has been patched in version 0.13.0. | |||||
CVE-2023-4126 | 1 Answer | 1 Answer | 2024-02-28 | N/A | 8.8 HIGH |
Insufficient Session Expiration in GitHub repository answerdev/answer prior to v1.1.0. | |||||
CVE-2023-40178 | 1 Node Saml Project | 1 Node Saml | 2024-02-28 | N/A | 5.3 MEDIUM |
Node-SAML is a SAML library not dependent on any frameworks that runs in Node. The lack of checking of current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past the NotOnOrAfter. This could impact the user where they would be logged out from an expired LogoutRequest. In bigger contexts, if LogoutRequests are sent out in mass to different SPs, this could impact many users on a large scale. This issue was patched in version 4.0.5. | |||||
CVE-2023-37919 | 1 Cal | 1 Cal.com | 2024-02-28 | N/A | 5.4 MEDIUM |
Cal.com is open-source scheduling software. A vulnerability allows active sessions associated with an account to remain active even after enabling 2FA. When activating 2FA on a Cal.com account that is logged in on two or more devices, the account stays logged in on the other device(s) stays logged in without having to verify the account owner's identity. As of time of publication, no known patches or workarounds exist. | |||||
CVE-2023-4005 | 1 Fossbilling | 1 Fossbilling | 2024-02-28 | N/A | 9.8 CRITICAL |
Insufficient Session Expiration in GitHub repository fossbilling/fossbilling prior to 0.5.5. | |||||
CVE-2023-46158 | 1 Ibm | 1 Websphere Application Server Liberty | 2024-02-28 | N/A | 9.8 CRITICAL |
IBM WebSphere Application Server Liberty 23.0.0.9 through 23.0.0.10 could provide weaker than expected security due to improper resource expiration handling. IBM X-Force ID: 268775. | |||||
CVE-2023-40174 | 1 Fobybus | 1 Social-media-skeleton | 2024-02-28 | N/A | 9.8 CRITICAL |
Social media skeleton is an uncompleted/framework social media project implemented using a php, css ,javascript and html. Insufficient session expiration is a web application security vulnerability that occurs when a web application does not properly manage the lifecycle of a user's session. Social media skeleton releases prior to 1.0.5 did not properly limit manage user session lifecycles. This issue has been addressed in version 1.0.5 and users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
CVE-2023-40537 | 1 F5 | 18 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 15 more | 2024-02-28 | N/A | 8.1 HIGH |
An authenticated user's session cookie may remain valid for a limited time after logging out from the BIG-IP Configuration utility on a multi-blade VIPRION platform. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
CVE-2023-5865 | 1 Phpmyfaq | 1 Phpmyfaq | 2024-02-28 | N/A | 9.8 CRITICAL |
Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2. | |||||
CVE-2023-40732 | 1 Siemens | 1 Qms Automotive | 2024-02-28 | N/A | 3.9 LOW |
A vulnerability has been identified in QMS Automotive (All versions < V12.39). The QMS.Mobile module of the affected application does not invalidate the session token on logout. This could allow an attacker to perform session hijacking attacks. | |||||
CVE-2023-33303 | 1 Fortinet | 1 Fortiedr | 2024-02-28 | N/A | 8.1 HIGH |
A insufficient session expiration in Fortinet FortiEDR version 5.0.0 through 5.0.1 allows attacker to execute unauthorized code or commands via api request | |||||
CVE-2021-20581 | 3 Apple, Ibm, Microsoft | 3 Macos, Security Verify Privilege On-premises, Windows | 2024-02-28 | N/A | 4.3 MEDIUM |
IBM Security Verify Privilege On-Premises 11.5 could allow a user to obtain sensitive information due to insufficient session expiration. IBM X-Force ID: 199324. | |||||
CVE-2023-41041 | 1 Graylog | 1 Graylog | 2024-02-28 | N/A | 3.1 LOW |
Graylog is a free and open log management platform. In a multi-node Graylog cluster, after a user has explicitly logged out, a user session may still be used for API requests until it has reached its original expiry time. Each node maintains an in-memory cache of user sessions. Upon a cache-miss, the session is loaded from the database. After that, the node operates solely on the cached session. Modifications to sessions will update the cached version as well as the session persisted in the database. However, each node maintains their isolated version of the session. When the user logs out, the session is removed from the node-local cache and deleted from the database. The other nodes will however still use the cached session. These nodes will only fail to accept the session id if they intent to update the session in the database. They will then notice that the session is gone. This is true for most API requests originating from user interaction with the Graylog UI because these will lead to an update of the session's "last access" timestamp. If the session update is however prevented by setting the `X-Graylog-No-Session-Extension:true` header in the request, the node will consider the (cached) session valid until the session is expired according to its timeout setting. No session identifiers are leaked. After a user has logged out, the UI shows the login screen again, which gives the user the impression that their session is not valid anymore. However, if the session becomes compromised later, it can still be used to perform API requests against the Graylog cluster. The time frame for this is limited to the configured session lifetime, starting from the time when the user logged out. This issue has been addressed in versions 5.0.9 and 5.1.3. Users are advised to upgrade. | |||||
CVE-2023-42768 | 1 F5 | 19 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 16 more | 2024-02-28 | N/A | 7.2 HIGH |
When a non-admin user has been assigned an administrator role via an iControl REST PUT request and later the user's role is reverted back to a non-admin role via the Configuration utility, tmsh, or iControl REST. BIG-IP non-admin user can still have access to iControl REST admin resource. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
CVE-2023-37570 | 1 Esds.co | 1 Emagic Data Center Management | 2024-02-28 | N/A | 8.8 HIGH |
This vulnerability exists in ESDS Emagic Data Center Management Suit due to non-expiry of session cookie. By reusing the stolen cookie, a remote attacker could gain unauthorized access to the targeted system. | |||||
CVE-2023-5889 | 1 Pkp | 1 Pkp Web Application Library | 2024-02-28 | N/A | 8.2 HIGH |
Insufficient Session Expiration in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||||
CVE-2023-4190 | 1 Admidio | 1 Admidio | 2024-02-28 | N/A | 6.5 MEDIUM |
Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.2.11. | |||||
CVE-2023-37504 | 1 Hcltech | 1 Hcl Compass | 2024-02-28 | N/A | 6.5 MEDIUM |
HCL Compass is vulnerable to failure to invalidate sessions. The application does not invalidate authenticated sessions when the log out functionality is called. If the session identifier can be discovered, it could be replayed to the application and used to impersonate the user. | |||||
CVE-2023-5838 | 1 Linkstack | 1 Linkstack | 2024-02-28 | N/A | 9.8 CRITICAL |
Insufficient Session Expiration in GitHub repository linkstackorg/linkstack prior to v4.2.9. |