Total
324 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-22283 | 1 Samsung | 1 Health | 2024-11-21 | 2.1 LOW | 2.8 LOW |
| Improper session management vulnerability in Samsung Health prior to 6.20.1.005 prevents logging out from Samsung Health App. | |||||
| CVE-2022-22113 | 1 Daybydaycrm | 1 Daybyday | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| In DayByDay CRM, versions 2.2.0 through 2.2.1 (latest) are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed. | |||||
| CVE-2022-21652 | 1 Shopware | 1 Shopware | 2024-11-21 | 5.5 MEDIUM | 3.5 LOW |
| Shopware is an open source e-commerce software platform. In affected versions shopware would not invalidate a user session in the event of a password change. With version 5.7.7 the session validation was adjusted, so that sessions created prior to the latest password change of a customer account can't be used to login with said account. This also means, that upon a password change, all existing sessions for a given customer account are automatically considered invalid. There is no workaround for this issue. | |||||
| CVE-2022-0991 | 1 Admidio | 1 Admidio | 2024-11-21 | 6.4 MEDIUM | 7.1 HIGH |
| Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.1.9. | |||||
| CVE-2021-46279 | 1 Lannerinc | 2 Iac-ast2500a, Iac-ast2500a Firmware | 2024-11-21 | N/A | 5.8 MEDIUM |
| Session fixation and insufficient session expiration vulnerabilities allow an attacker to perfom session hijacking attacks against users. This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0. | |||||
| CVE-2021-45885 | 1 Stormshield | 1 Network Security | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
| An issue was discovered in Stormshield Network Security (SNS) 4.2.2 through 4.2.7 (fixed in 4.2.8). Under a specific update-migration scenario, the first SSH password change does not properly clear the old password. | |||||
| CVE-2021-43791 | 1 Zulip | 1 Zulip | 2024-11-21 | 5.0 MEDIUM | 6.5 MEDIUM |
| Zulip is an open source group chat application that combines real-time chat with threaded conversations. In affected versions expiration dates on the confirmation objects associated with email invitations were not enforced properly in the new account registration flow. A confirmation link takes a user to the check_prereg_key_and_redirect endpoint, before getting redirected to POST to /accounts/register/. The problem was that validation was happening in the check_prereg_key_and_redirect part and not in /accounts/register/ - meaning that one could submit an expired confirmation key and be able to register. The issue is fixed in Zulip 4.8. There are no known workarounds and users are advised to upgrade as soon as possible. | |||||
| CVE-2021-42545 | 1 Business-dnasolutions | 1 Topease | 2024-11-21 | 6.4 MEDIUM | 8.1 HIGH |
| An insufficient session expiration vulnerability exists in Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27, which allows a remote attacker to reuse, spoof, or steal other user and admin sessions. | |||||
| CVE-2021-41247 | 1 Jupyter | 1 Jupyterhub | 2024-11-21 | 5.0 MEDIUM | 3.5 LOW |
| JupyterHub is an open source multi-user server for Jupyter notebooks. In affected versions users who have multiple JupyterLab tabs open in the same browser session, may see incomplete logout from the single-user server, as fresh credentials (for the single-user server only, not the Hub) reinstated after logout, if another active JupyterLab session is open while the logout takes place. Upgrade to JupyterHub 1.5. For distributed deployments, it is jupyterhub in the _user_ environment that needs patching. There are no patches necessary in the Hub environment. The only workaround is to make sure that only one JupyterLab tab is open when you log out. | |||||
| CVE-2021-41100 | 1 Wire | 1 Wire-server | 2024-11-21 | 7.5 HIGH | 7.4 HIGH |
| Wire-server is the backing server for the open source wire secure messaging application. In affected versions it is possible to trigger email address change of a user with only the short-lived session token in the `Authorization` header. As the short-lived token is only meant as means of authentication by the client for less critical requests to the backend, the ability to change the email address with a short-lived token constitutes a privilege escalation attack. Since the attacker can change the password after setting the email address to one that they control, changing the email address can result in an account takeover by the attacker. Short-lived tokens can be requested from the backend by Wire clients using the long lived tokens, after which the long lived tokens can be stored securely, for example on the devices key chain. The short lived tokens can then be used to authenticate the client towards the backend for frequently performed actions such as sending and receiving messages. While short-lived tokens should not be available to an attacker per-se, they are used more often and in the shape of an HTTP header, increasing the risk of exposure to an attacker relative to the long-lived tokens, which are stored and transmitted in cookies. If you are running an on-prem instance and provision all users with SCIM, you are not affected by this issue (changing email is blocked for SCIM users). SAML single-sign-on is unaffected by this issue, and behaves identically before and after this update. The reason is that the email address used as SAML NameID is stored in a different location in the databse from the one used to contact the user outside wire. Version 2021-08-16 and later provide a new end-point that requires both the long-lived client cookie and `Authorization` header. The old end-point has been removed. If you are running an on-prem instance with at least some of the users invited or provisioned via SAML SSO and you cannot update then you can block `/self/email` on nginz (or in any other proxies or firewalls you may have set up). You don't need to discriminate by verb: `/self/email` only accepts `PUT` and `DELETE`, and `DELETE` is almost never used. | |||||
| CVE-2021-40849 | 1 Mahara | 1 Mahara | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, the account associated with a web services token is vulnerable to being exploited and logged into, resulting in information disclosure (at a minimum) and often escalation of privileges. | |||||
| CVE-2021-3844 | 1 Rapid7 | 1 Insightvm | 2024-11-21 | N/A | 5.7 MEDIUM |
| Rapid7 InsightVM suffers from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user account's current session is still valid after the password change, potentially allowing the attacker who originally compromised the credential to remain logged in and able to cause further damage. This vulnerability is mitigated by the use of the Platform Login feature. This issue is related to CVE-2019-5638. | |||||
| CVE-2021-3461 | 1 Redhat | 2 Keycloak, Single Sign-on | 2024-11-21 | 3.3 LOW | 7.1 HIGH |
| A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name]. | |||||
| CVE-2021-3311 | 1 Octobercms | 1 October | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| An issue was discovered in October through build 471. It reactivates an old session ID (which had been invalid after a logout) once a new login occurs. NOTE: this violates the intended Auth/Manager.php authentication behavior but, admittedly, is only relevant if an old session ID is known to an attacker. | |||||
| CVE-2021-3183 | 1 Files | 1 Fat Client | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Files.com Fat Client 3.3.6 allows authentication bypass because the client continues to have access after a logout and a removal of a login profile. | |||||
| CVE-2021-3144 | 3 Debian, Fedoraproject, Saltstack | 3 Debian Linux, Fedora, Salt | 2024-11-21 | 7.5 HIGH | 9.1 CRITICAL |
| In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.) | |||||
| CVE-2021-39113 | 1 Atlassian | 4 Data Center, Jira, Jira Data Center and 1 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions are before version 8.13.9, and from version 8.14.0 before 8.18.0. | |||||
| CVE-2021-38986 | 1 Ibm | 1 Mq | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| IBM MQ Appliance 9.2 CD and 9.2 LTS does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 212942. | |||||
| CVE-2021-38823 | 1 Icehrm | 1 Icehrm | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The IceHrm 30.0.0 OS website was found vulnerable to Session Management Issue. A signout from an admin account does not invalidate an admin session that is opened in a different browser. | |||||
| CVE-2021-37866 | 1 Mattermost | 1 Mattermost Boards | 2024-11-21 | 5.0 MEDIUM | 4.7 MEDIUM |
| Mattermost Boards plugin v0.10.0 and earlier fails to invalidate a session on the server-side when a user logged out of Boards, which allows an attacker to reuse old session token for authorization. | |||||