ReportizFlow
Filtered by vendor
Subscriptions
Total
401 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-29402 | 2024-11-21 | 4.3 Medium | ||
| cskefu v7 suffers from Insufficient Session Expiration, which allows attackers to exploit the old session for malicious activity. | ||||
| CVE-2024-29401 | 2024-11-21 | 9.8 Critical | ||
| xzs-mysql 3.8 is vulnerable to Insufficient Session Expiration, which allows attackers to use the session of a deleted admin to do anything. | ||||
| CVE-2024-27782 | 1 Fortinet | 1 Fortiaiops | 2024-11-21 | 7.7 High |
| Multiple insufficient session expiration vulnerabilities [CWE-613] in FortiAIOps version 2.0.0 may allow an attacker to re-use stolen old session tokens to perform unauthorized operations via crafted requests. | ||||
| CVE-2024-27455 | 2024-11-21 | 9.1 Critical | ||
| In the Bentley ALIM Web application, certain configuration settings can cause exposure of a user's ALIM session token when the user attempts to download files. This is fixed in Assetwise ALIM Web 23.00.04.04 and Assetwise Information Integrity Server 23.00.02.03. | ||||
| CVE-2024-0943 | 1 Totolink | 2 N350rt, N350rt Firmware | 2024-11-21 | 3.7 Low |
| A vulnerability was found in Totolink N350RT 9.3.5u.6255. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /cgi-bin/cstecgi.cgi. The manipulation leads to session expiration. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252187. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-0942 | 1 Totolink | 2 N200re-v5, N200re-v5 Firmware | 2024-11-21 | 3.7 Low |
| A vulnerability was found in Totolink N200RE V5 9.3.5u.6255_B20211224. It has been classified as problematic. Affected is an unknown function of the file /cgi-bin/cstecgi.cgi. The manipulation leads to session expiration. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. VDB-252186 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-5889 | 1 Pkp | 1 Pkp Web Application Library | 2024-11-21 | 8.2 High |
| Insufficient Session Expiration in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | ||||
| CVE-2023-5865 | 1 Phpmyfaq | 1 Phpmyfaq | 2024-11-21 | 9.8 Critical |
| Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2. | ||||
| CVE-2023-5838 | 1 Linkstack | 1 Linkstack | 2024-11-21 | 9.8 Critical |
| Insufficient Session Expiration in GitHub repository linkstackorg/linkstack prior to v4.2.9. | ||||
| CVE-2023-51772 | 1 Oneidentity | 1 Password Manager | 2024-11-21 | 8.8 High |
| One Identity Password Manager before 5.13.1 allows Kiosk Escape. This product enables users to reset their Active Directory passwords on the login screen of a Windows client. It launches a Chromium based browser in Kiosk mode to provide the reset functionality. The escape sequence is: wait for a session timeout, click on the Help icon, observe that there is a browser window for the One Identity website, navigate to any website that offers file upload, navigate to cmd.exe from the file explorer window, and launch cmd.exe as NT AUTHORITY\SYSTEM. | ||||
| CVE-2023-50936 | 1 Ibm | 1 Powersc | 2024-11-21 | 6.3 Medium |
| IBM PowerSC 1.3, 2.0, and 2.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 275116. | ||||
| CVE-2023-4190 | 1 Admidio | 1 Admidio | 2024-11-21 | 6.5 Medium |
| Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.2.11. | ||||
| CVE-2023-4126 | 1 Answer | 1 Answer | 2024-11-21 | 8.8 High |
| Insufficient Session Expiration in GitHub repository answerdev/answer prior to v1.1.0. | ||||
| CVE-2023-4005 | 1 Fossbilling | 1 Fossbilling | 2024-11-21 | 9.8 Critical |
| Insufficient Session Expiration in GitHub repository fossbilling/fossbilling prior to 0.5.5. | ||||
| CVE-2023-49935 | 1 Schedmd | 1 Slurm | 2024-11-21 | 8.8 High |
| An issue was discovered in SchedMD Slurm 23.02.x and 23.11.x. There is Incorrect Access Control because of a slurmd Message Integrity Bypass. An attacker can reuse root-level authentication tokens during interaction with the slurmd process. This bypasses the RPC message hashes that protect against undesired MUNGE credential reuse. The fixed versions are 23.02.7 and 23.11.1. | ||||
| CVE-2023-47628 | 1 Datahub Project | 1 Datahub | 2024-11-21 | 4.2 Medium |
| DataHub is an open-source metadata platform. DataHub Frontend's sessions are configured using Play Framework's default settings for stateless session which do not set an expiration time for a cookie. Due to this, if a session cookie were ever leaked, it would be valid forever. DataHub uses a stateless session cookie that is not invalidated on logout, it is just removed from the browser forcing the user to login again. However, if an attacker extracted a cookie from an authenticated user it would continue to be valid as there is no validation on a time window the session token is valid for due to a combination of the usage of LegacyCookiesModule from Play Framework and using default settings which do not set an expiration time. All DataHub instances prior to the patch that have removed the datahub user, but not the default policies applying to that user are affected. Users are advised to update to version 0.12.1 which addresses the issue. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-46326 | 1 Zstack | 1 Zstack | 2024-11-21 | 8.8 High |
| ZStack Cloud version 3.10.38 and before allows unauthenticated API access to the list of active job UUIDs and the session ID for each of these. This leads to privilege escalation. | ||||
| CVE-2023-46158 | 1 Ibm | 1 Websphere Application Server Liberty | 2024-11-21 | 4.9 Medium |
| IBM WebSphere Application Server Liberty 23.0.0.9 through 23.0.0.10 could provide weaker than expected security due to improper resource expiration handling. IBM X-Force ID: 268775. | ||||
| CVE-2023-45659 | 1 Engelsystem | 1 Engelsystem | 2024-11-21 | 3.6 Low |
| Engelsystem is a shift planning system for chaos events. If a users' password is compromised and an attacker gained access to a users' account, i.e., logged in and obtained a session, an attackers' session is not terminated if the users' account password is reset. This vulnerability has been fixed in the commit `dbb089315ff3d`. Users are advised to update their installations. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-45187 | 1 Ibm | 1 Engineering Lifecycle Optimization | 2024-11-21 | 6.3 Medium |
| IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 268749. | ||||