Total
324 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-20581 | 3 Apple, Ibm, Microsoft | 3 Macos, Security Verify Privilege On-premises, Windows | 2024-02-28 | N/A | 4.3 MEDIUM |
IBM Security Verify Privilege On-Premises 11.5 could allow a user to obtain sensitive information due to insufficient session expiration. IBM X-Force ID: 199324. | |||||
CVE-2023-41041 | 1 Graylog | 1 Graylog | 2024-02-28 | N/A | 3.1 LOW |
Graylog is a free and open log management platform. In a multi-node Graylog cluster, after a user has explicitly logged out, a user session may still be used for API requests until it has reached its original expiry time. Each node maintains an in-memory cache of user sessions. Upon a cache-miss, the session is loaded from the database. After that, the node operates solely on the cached session. Modifications to sessions will update the cached version as well as the session persisted in the database. However, each node maintains their isolated version of the session. When the user logs out, the session is removed from the node-local cache and deleted from the database. The other nodes will however still use the cached session. These nodes will only fail to accept the session id if they intent to update the session in the database. They will then notice that the session is gone. This is true for most API requests originating from user interaction with the Graylog UI because these will lead to an update of the session's "last access" timestamp. If the session update is however prevented by setting the `X-Graylog-No-Session-Extension:true` header in the request, the node will consider the (cached) session valid until the session is expired according to its timeout setting. No session identifiers are leaked. After a user has logged out, the UI shows the login screen again, which gives the user the impression that their session is not valid anymore. However, if the session becomes compromised later, it can still be used to perform API requests against the Graylog cluster. The time frame for this is limited to the configured session lifetime, starting from the time when the user logged out. This issue has been addressed in versions 5.0.9 and 5.1.3. Users are advised to upgrade. | |||||
CVE-2023-42768 | 1 F5 | 19 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 16 more | 2024-02-28 | N/A | 7.2 HIGH |
When a non-admin user has been assigned an administrator role via an iControl REST PUT request and later the user's role is reverted back to a non-admin role via the Configuration utility, tmsh, or iControl REST. BIG-IP non-admin user can still have access to iControl REST admin resource. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
CVE-2023-37570 | 1 Esds.co | 1 Emagic Data Center Management | 2024-02-28 | N/A | 8.8 HIGH |
This vulnerability exists in ESDS Emagic Data Center Management Suit due to non-expiry of session cookie. By reusing the stolen cookie, a remote attacker could gain unauthorized access to the targeted system. | |||||
CVE-2023-5889 | 1 Pkp | 1 Pkp Web Application Library | 2024-02-28 | N/A | 8.2 HIGH |
Insufficient Session Expiration in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||||
CVE-2023-4190 | 1 Admidio | 1 Admidio | 2024-02-28 | N/A | 6.5 MEDIUM |
Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.2.11. | |||||
CVE-2023-37504 | 1 Hcltech | 1 Hcl Compass | 2024-02-28 | N/A | 6.5 MEDIUM |
HCL Compass is vulnerable to failure to invalidate sessions. The application does not invalidate authenticated sessions when the log out functionality is called. If the session identifier can be discovered, it could be replayed to the application and used to impersonate the user. | |||||
CVE-2023-5838 | 1 Linkstack | 1 Linkstack | 2024-02-28 | N/A | 9.8 CRITICAL |
Insufficient Session Expiration in GitHub repository linkstackorg/linkstack prior to v4.2.9. | |||||
CVE-2023-45659 | 1 Engelsystem | 1 Engelsystem | 2024-02-28 | N/A | 2.8 LOW |
Engelsystem is a shift planning system for chaos events. If a users' password is compromised and an attacker gained access to a users' account, i.e., logged in and obtained a session, an attackers' session is not terminated if the users' account password is reset. This vulnerability has been fixed in the commit `dbb089315ff3d`. Users are advised to update their installations. There are no known workarounds for this vulnerability. | |||||
CVE-2023-38489 | 1 Getkirby | 1 Kirby | 2024-02-28 | N/A | 7.3 HIGH |
Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). It can only be abused if a Kirby user is logged in on a device or browser that is shared with potentially untrusted users or if an attacker already maliciously used a previous password to log in to a Kirby site as the affected user. Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization. In the variation described in this advisory, it allows attackers to stay logged in to a Kirby site on another device even if the logged in user has since changed their password. Kirby did not invalidate user sessions that were created with a password that was since changed by the user or by a site admin. If a user changed their password to lock out an attacker who was already in possession of the previous password or of a login session on another device or browser, the attacker would not be reliably prevented from accessing the Kirby site as the affected user. The problem has been patched in Kirby 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6. In all of the mentioned releases, the maintainers have updated the authentication implementation to keep track of the hashed password in each active session. If the password changed since the login, the session is invalidated. To enforce this fix even if the vulnerability was previously abused, all users are logged out from the Kirby site after updating to one of the patched releases. | |||||
CVE-2022-3916 | 1 Redhat | 7 Enterprise Linux, Keycloak, Openshift Container Platform and 4 more | 2024-02-28 | N/A | 6.8 MEDIUM |
A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user. | |||||
CVE-2023-39695 | 1 Elenos | 2 Etg150, Etg150 Firmware | 2024-02-28 | N/A | 5.3 MEDIUM |
Insufficient session expiration in Elenos ETG150 FM Transmitter v3.12 allows attackers to arbitrarily change transmitter configuration and data after logging out. | |||||
CVE-2023-20903 | 1 Cloudfoundry | 1 User Account And Authentication | 2024-02-28 | N/A | 4.3 MEDIUM |
This disclosure regards a vulnerability related to UAA refresh tokens and external identity providers.Assuming that an external identity provider is linked to the UAA, a refresh token is issued to a client on behalf of a user from that identity provider, the administrator of the UAA deactivates the identity provider from the UAA. It is expected that the UAA would reject a refresh token during a refresh token grant, but it does not (hence the vulnerability). It will continue to issue access tokens to request presenting such refresh tokens, as if the identity provider was still active. As a result, clients with refresh tokens issued through the deactivated identity provider would still have access to Cloud Foundry resources until their refresh token expires (which defaults to 30 days). | |||||
CVE-2023-0041 | 2 Ibm, Linux | 2 Security Guardium, Linux Kernel | 2024-02-28 | N/A | 8.8 HIGH |
IBM Security Guardium 11.5 could allow a user to take over another user's session due to insufficient session expiration. IBM X-Force ID: 243657. | |||||
CVE-2020-4914 | 1 Ibm | 1 Cloud Pak System | 2024-02-28 | N/A | 5.5 MEDIUM |
IBM Cloud Pak System Suite 2.3.3.0 through 2.3.3.5 does not invalidate session after logout which could allow a local user to impersonate another user on the system. IBM X-Force ID: 191290. | |||||
CVE-2022-38707 | 1 Ibm | 1 Cognos Command Center | 2024-02-28 | N/A | 5.5 MEDIUM |
IBM Cognos Command Center 10.2.4.1 could allow a local attacker to obtain sensitive information due to insufficient session expiration. IBM X-Force ID: 234179. | |||||
CVE-2021-3844 | 1 Rapid7 | 1 Insightvm | 2024-02-28 | N/A | 5.4 MEDIUM |
Rapid7 InsightVM suffers from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user account's current session is still valid after the password change, potentially allowing the attacker who originally compromised the credential to remain logged in and able to cause further damage. This vulnerability is mitigated by the use of the Platform Login feature. This issue is related to CVE-2019-5638. | |||||
CVE-2022-37186 | 1 Lemonldap-ng | 1 Lemonldap\ | 2024-02-28 | N/A | 5.9 MEDIUM |
In LemonLDAP::NG before 2.0.15. some sessions are not deleted when they are supposed to be deleted according to the timeoutActivity setting. This can occur when there are at least two servers, and a session is manually removed before the time at which it would have been removed automatically. | |||||
CVE-2023-31139 | 1 Dhis2 | 1 Dhis 2 | 2024-02-28 | N/A | 7.5 HIGH |
DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.37 branch and prior to versions 2.37.9.1, 2.38.3.1, and 2.39.1.2, Personal Access Tokens (PATs) generate unrestricted session cookies. This may lead to a bypass of other access restrictions (for example, based on allowed IP addresses or HTTP methods). DHIS2 implementers should upgrade to a supported version of DHIS2: 2.37.9.1, 2.38.3.1, or 2.39.1.2. Implementers can work around this issue by adding extra access control validations on a reverse proxy. | |||||
CVE-2023-1788 | 1 Firefly-iii | 1 Firefly Iii | 2024-02-28 | N/A | 9.8 CRITICAL |
Insufficient Session Expiration in GitHub repository firefly-iii/firefly-iii prior to 6. |