Total
316 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-40849 | 1 Mahara | 1 Mahara | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, the account associated with a web services token is vulnerable to being exploited and logged into, resulting in information disclosure (at a minimum) and often escalation of privileges. | |||||
CVE-2020-27416 | 1 Mahadiscom | 1 Mahavitaran | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Mahavitaran android application 7.50 and prior are affected by account takeover due to improper OTP validation, allows remote attackers to control a users account. | |||||
CVE-2021-38823 | 1 Icehrm | 1 Icehrm | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
The IceHrm 30.0.0 OS website was found vulnerable to Session Management Issue. A signout from an admin account does not invalidate an admin session that is opened in a different browser. | |||||
CVE-2021-33982 | 1 Myfwc | 1 Fish \| Hunt Fl | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
An insufficient session expiration vulnerability exists in the "Fish | Hunt FL" iOS app version 3.8.0 and earlier, which allows a remote attacker to reuse, spoof, or steal other user and admin sessions. | |||||
CVE-2021-24019 | 1 Fortinet | 1 Forticlient Endpoint Management Server | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
An insufficient session expiration vulnerability [CWE- 613] in FortiClientEMS versions 6.4.2 and below, 6.2.8 and below may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID (via other, hypothetical attacks) | |||||
CVE-2021-29846 | 1 Ibm | 1 Security Guardium Insights | 2024-02-28 | 4.0 MEDIUM | 2.7 LOW |
IBM Security Guardium Insights 3.0 could allow an authenticated user to obtain sensitive information due to insufficient session expiration. IBM X-Force ID: 205256. | |||||
CVE-2021-22820 | 1 Schneider-electric | 12 Evlink City Evc1s22p4, Evlink City Evc1s22p4 Firmware, Evlink City Evc1s7p4 and 9 more | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
A CWE-614 Insufficient Session Expiration vulnerability exists that could allow an attacker to maintain an unauthorized access over a hijacked session to the charger station web server even after the legitimate user account holder has changed his password. Affected Products: EVlink City EVC1S22P4 / EVC1S7P4 (All versions prior to R8 V3.4.0.2 ), EVlink Parking EVW2 / EVF2 / EVP2PE (All versions prior to R8 V3.4.0.2), and EVlink Smart Wallbox EVB1A (All versions prior to R8 V3.4.0.2) | |||||
CVE-2021-36330 | 1 Dell | 1 Emc Streaming Data Platform | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Dell EMC Streaming Data Platform versions before 1.3 contain an Insufficient Session Expiration Vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to reuse old session artifacts to impersonate a legitimate user. | |||||
CVE-2022-22113 | 1 Daybydaycrm | 1 Daybyday | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
In DayByDay CRM, versions 2.2.0 through 2.2.1 (latest) are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed. | |||||
CVE-2021-25981 | 1 Talkyard | 1 Talkyard | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
In Talkyard, regular versions v0.2021.20 through v0.2021.33 and dev versions v0.2021.20 through v0.2021.34, are vulnerable to Insufficient Session Expiration. This may allow an attacker to reuse the admin’s still-valid session token even when logged-out, to gain admin privileges, given the attacker is able to obtain that token (via other, hypothetical attacks) | |||||
CVE-2021-34739 | 1 Cisco | 418 Cbs250-16p-2g, Cbs250-16p-2g Firmware, Cbs250-16t-2g and 415 more | 2024-02-28 | 6.8 MEDIUM | 8.1 HIGH |
A vulnerability in the web-based management interface of multiple Cisco Small Business Series Switches could allow an unauthenticated, remote attacker to replay valid user session credentials and gain unauthorized access to the web-based management interface of an affected device. This vulnerability is due to insufficient expiration of session credentials. An attacker could exploit this vulnerability by conducting a man-in-the-middle attack against an affected device to intercept valid session credentials and then replaying the intercepted credentials toward the same device at a later time. A successful exploit could allow the attacker to access the web-based management interface with administrator privileges. | |||||
CVE-2021-35214 | 1 Solarwinds | 1 Pingdom | 2024-02-28 | 1.9 LOW | 4.7 MEDIUM |
The vulnerability in SolarWinds Pingdom can be described as a failure to invalidate user session upon password or email address change. When running multiple active sessions in separate browser windows, it was observed a password or email address change could be changed without terminating the user session. This issue has been resolved on September 13, 2021. | |||||
CVE-2021-20473 | 1 Ibm | 1 Sterling File Gateway | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
IBM Sterling File Gateway User Interface 2.2.0.0 through 6.1.1.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 196944. | |||||
CVE-2021-41247 | 1 Jupyter | 1 Jupyterhub | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
JupyterHub is an open source multi-user server for Jupyter notebooks. In affected versions users who have multiple JupyterLab tabs open in the same browser session, may see incomplete logout from the single-user server, as fresh credentials (for the single-user server only, not the Hub) reinstated after logout, if another active JupyterLab session is open while the logout takes place. Upgrade to JupyterHub 1.5. For distributed deployments, it is jupyterhub in the _user_ environment that needs patching. There are no patches necessary in the Hub environment. The only workaround is to make sure that only one JupyterLab tab is open when you log out. | |||||
CVE-2021-25966 | 1 Orchardcore | 1 Orchard Core | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
In “Orchard core CMS” application, versions 1.0.0-beta1-3383 to 1.0.0 are vulnerable to an improper session termination after password change. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed. | |||||
CVE-2021-43791 | 1 Zulip | 1 Zulip | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
Zulip is an open source group chat application that combines real-time chat with threaded conversations. In affected versions expiration dates on the confirmation objects associated with email invitations were not enforced properly in the new account registration flow. A confirmation link takes a user to the check_prereg_key_and_redirect endpoint, before getting redirected to POST to /accounts/register/. The problem was that validation was happening in the check_prereg_key_and_redirect part and not in /accounts/register/ - meaning that one could submit an expired confirmation key and be able to register. The issue is fixed in Zulip 4.8. There are no known workarounds and users are advised to upgrade as soon as possible. | |||||
CVE-2021-37866 | 1 Mattermost | 1 Mattermost Boards | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Mattermost Boards plugin v0.10.0 and earlier fails to invalidate a session on the server-side when a user logged out of Boards, which allows an attacker to reuse old session token for authorization. | |||||
CVE-2021-25970 | 1 Tuzitio | 1 Camaleon Cms | 2024-02-28 | 6.8 MEDIUM | 8.8 HIGH |
Camaleon CMS 0.1.7 to 2.6.0 doesn’t terminate the active session of the users, even after the admin changes the user’s password. A user that was already logged in, will still have access to the application even after the password was changed. | |||||
CVE-2021-29868 | 1 Ibm | 1 I2 Ibase | 2024-02-28 | 2.1 LOW | 5.5 MEDIUM |
IBM i2 iBase 8.9.13 and 9.0.0 could allow a local attacker to obtain sensitive information due to insufficient session expiration. IBM X-Force ID: 206213. | |||||
CVE-2021-37333 | 1 Bookingcore | 1 Booking Core | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Laravel Booking System Booking Core 2.0 is vulnerable to Session Management. A password change at sandbox.bookingcore.org/user/profile/change-password does not invalidate a session that is opened in a different browser. |