Total
324 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-37693 | 1 Discourse | 1 Discourse | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta4, when adding additional email addresses to an existing account on a Discourse site an email token is generated as part of the email verification process. Deleting the additional email address does not invalidate an unused token which can then be used in other contexts, including reseting a password. | |||||
| CVE-2021-37333 | 1 Bookingcore | 1 Booking Core | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Laravel Booking System Booking Core 2.0 is vulnerable to Session Management. A password change at sandbox.bookingcore.org/user/profile/change-password does not invalidate a session that is opened in a different browser. | |||||
| CVE-2021-37156 | 1 Redmine | 1 Redmine | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Redmine 4.2.0 and 4.2.1 allow existing user sessions to continue upon enabling two-factor authentication for the user's account, but the intended behavior is for those sessions to be terminated. | |||||
| CVE-2021-36330 | 1 Dell | 1 Emc Streaming Data Platform | 2024-11-21 | 7.5 HIGH | 8.1 HIGH |
| Dell EMC Streaming Data Platform versions before 1.3 contain an Insufficient Session Expiration Vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to reuse old session artifacts to impersonate a legitimate user. | |||||
| CVE-2021-35342 | 1 Northern.tech | 2 Mender, Useradm | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
| The useradm service 1.14.0 (in Northern.tech Mender Enterprise 2.7.x before 2.7.1) and 1.13.0 (in Northern.tech Mender Enterprise 2.6.x before 2.6.1) allows users to access the system with their JWT token after logout, because of missing invalidation (if the JWT verification cache is enabled). | |||||
| CVE-2021-35214 | 1 Solarwinds | 1 Pingdom | 2024-11-21 | 1.9 LOW | 4.8 MEDIUM |
| The vulnerability in SolarWinds Pingdom can be described as a failure to invalidate user session upon password or email address change. When running multiple active sessions in separate browser windows, it was observed a password or email address change could be changed without terminating the user session. This issue has been resolved on September 13, 2021. | |||||
| CVE-2021-35034 | 1 Zyxel | 2 Nbg6604, Nbg6604 Firmware | 2024-11-21 | 6.4 MEDIUM | 7.4 HIGH |
| An insufficient session expiration vulnerability in the CGI program of the Zyxel NBG6604 firmware could allow a remote attacker to access the device if the correct token can be intercepted. | |||||
| CVE-2021-34739 | 1 Cisco | 418 Cbs250-16p-2g, Cbs250-16p-2g Firmware, Cbs250-16t-2g and 415 more | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| A vulnerability in the web-based management interface of multiple Cisco Small Business Series Switches could allow an unauthenticated, remote attacker to replay valid user session credentials and gain unauthorized access to the web-based management interface of an affected device. This vulnerability is due to insufficient expiration of session credentials. An attacker could exploit this vulnerability by conducting a man-in-the-middle attack against an affected device to intercept valid session credentials and then replaying the intercepted credentials toward the same device at a later time. A successful exploit could allow the attacker to access the web-based management interface with administrator privileges. | |||||
| CVE-2021-34428 | 4 Debian, Eclipse, Netapp and 1 more | 16 Debian Linux, Jetty, Active Iq Unified Manager and 13 more | 2024-11-21 | 3.6 LOW | 2.9 LOW |
| For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in. | |||||
| CVE-2021-33982 | 1 Myfwc | 1 Fish \| Hunt Fl | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An insufficient session expiration vulnerability exists in the "Fish | Hunt FL" iOS app version 3.8.0 and earlier, which allows a remote attacker to reuse, spoof, or steal other user and admin sessions. | |||||
| CVE-2021-33322 | 1 Liferay | 2 Dxp, Liferay Portal | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user’s password via the old password reset token. | |||||
| CVE-2021-32923 | 1 Hashicorp | 1 Vault | 2024-11-21 | 5.8 MEDIUM | 7.4 HIGH |
| HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2. | |||||
| CVE-2021-31408 | 1 Vaadin | 2 Flow, Vaadin | 2024-11-21 | 3.3 LOW | 6.3 MEDIUM |
| Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out. | |||||
| CVE-2021-30943 | 1 Apple | 4 Ipados, Iphone Os, Macos and 1 more | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue in the handling of group membership was resolved with improved logic. This issue is fixed in iOS 15.2 and iPadOS 15.2, watchOS 8.3, macOS Monterey 12.1. A malicious user may be able to leave a messages group but continue to receive messages in that group. | |||||
| CVE-2021-29868 | 1 Ibm | 1 I2 Ibase | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| IBM i2 iBase 8.9.13 and 9.0.0 could allow a local attacker to obtain sensitive information due to insufficient session expiration. IBM X-Force ID: 206213. | |||||
| CVE-2021-29846 | 1 Ibm | 1 Security Guardium Insights | 2024-11-21 | 4.0 MEDIUM | 2.7 LOW |
| IBM Security Guardium Insights 3.0 could allow an authenticated user to obtain sensitive information due to insufficient session expiration. IBM X-Force ID: 205256. | |||||
| CVE-2021-27751 | 1 Hcltechsw | 1 Hcl Commerce | 2024-11-21 | 1.9 LOW | 4.4 MEDIUM |
| HCL Commerce is affected by an Insufficient Session Expiration vulnerability. After the session expires, in some circumstances, parts of the application are still accessible. | |||||
| CVE-2021-27351 | 1 Telegram | 1 Telegram | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Terminate Session feature in the Telegram application through 7.2.1 for Android, and through 2.4.7 for Windows and UNIX, fails to invalidate a recently active session. | |||||
| CVE-2021-26921 | 1 Argoproj | 1 Argo Cd | 2024-11-21 | 5.0 MEDIUM | 6.5 MEDIUM |
| In util/session/sessionmanager.go in Argo CD before 1.8.4, tokens continue to work even when the user account is disabled. | |||||
| CVE-2021-26037 | 1 Joomla | 1 Joomla\! | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Joomla! 2.5.0 through 3.9.27. CMS functions did not properly termine existing user sessions when a user's password was changed or the user was blocked. | |||||