Filtered by CWE-613
Filtered by vendor Subscriptions
Total 357 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2020-1776 1 Otrs 1 Otrs 2024-11-21 3.5 Low
When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28 and prior versions. OTRS: 7.0.18 and prior versions, 8.0.4. and prior versions.
CVE-2020-1768 1 Otrs 1 Otrs 2024-11-21 5.4 Medium
The external frontend system uses numerous background calls to the backend. Each background request is treated as user activity so the SessionMaxIdleTime will not be reached. This issue affects: OTRS 7.0.x version 7.0.14 and prior versions.
CVE-2020-1762 2 Kiali, Redhat 3 Kiali, Openshift Service Mesh, Service Mesh 2024-11-21 7 High
An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration.
CVE-2020-1724 1 Redhat 5 Jboss Single Sign On, Keycloak, Openshift Application Runtimes and 2 more 2024-11-21 4.3 Medium
A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section.
CVE-2020-1666 1 Juniper 1 Junos Os Evolved 2024-11-21 6.6 Medium
The system console configuration option 'log-out-on-disconnect' In Juniper Networks Junos OS Evolved fails to log out an active CLI session when the console cable is disconnected. This could allow a malicious attacker with physical access to the console the ability to resume a previous interactive session and possibly gain administrative privileges. This issue affects all Juniper Networks Junos OS Evolved versions after 18.4R1-EVO, prior to 20.2R1-EVO.
CVE-2020-17474 1 Zkteco 3 Facedepot 7b, Facedepot 7b Firmware, Zkbiosecurity Server 2024-11-21 9.8 Critical
A token-reuse vulnerability in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to create arbitrary new users, elevate users to administrators, delete users, and download user faces from the database.
CVE-2020-17473 1 Zkteco 3 Facedepot 7b, Facedepot 7b Firmware, Zkbiosecurity Server 2024-11-21 5.9 Medium
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.
CVE-2020-15950 1 Immuta 1 Immuta 2024-11-21 8.8 High
Immuta v2.8.2 is affected by improper session management: user sessions are not revoked upon logout.
CVE-2020-15774 1 Gradle 1 Enterprise 2024-11-21 6.8 Medium
An issue was discovered in Gradle Enterprise 2018.5 - 2020.2.4. An attacker with physical access to the browser of a user who has recently logged in to Gradle Enterprise and since closed their browser could reopen their browser to access Gradle Enterprise as that user.
CVE-2020-15269 1 Sparksolutions 1 Spree 2024-11-21 7.4 High
In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround without upgrading is described in the linked advisory.
CVE-2020-15220 1 Combodo 1 Itop 2024-11-21 6.1 Medium
Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, two cookies are created for the same session, which leads to a possibility to steal user session. This is fixed in versions 2.7.2 and 3.0.0.
CVE-2020-15218 1 Combodo 1 Itop 2024-11-21 6.8 Medium
Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, admin pages are cached, so that their content is visible after deconnection by using the browser back button. This is fixed in versions 2.7.2 and 3.0.0.
CVE-2020-15074 1 Openvpn 1 Openvpn Access Server 2024-11-21 7.5 High
OpenVPN Access Server older than version 2.8.4 and version 2.9.5 generates new user authentication tokens instead of reusing exiting tokens on reconnect making it possible to circumvent the initial token expiry timestamp.
CVE-2020-14247 1 Hcltechsw 1 Onetest Performance 2024-11-21 6.5 Medium
HCL OneTest Performance V9.5, V10.0, V10.1 contains an inadequate session timeout, which could allow an attacker time to guess and use a valid session ID.
CVE-2020-13353 1 Gitlab 1 Gitaly 2024-11-21 2.5 Low
When importing repos via URL, one time use git credentials were persisted beyond the expected time window in Gitaly 1.79.0 or above.
CVE-2020-13307 1 Gitlab 1 Gitlab 2024-11-21 3.8 Low
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was not revoking current user sessions when 2 factor authentication was activated allowing a malicious user to maintain their access.
CVE-2020-13305 1 Gitlab 1 Gitlab 2024-11-21 3.5 Low
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was not invalidating project invitation link upon removing a user from a project.
CVE-2020-13302 1 Gitlab 1 Gitlab 2024-11-21 3.8 Low
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Under certain conditions GitLab was not properly revoking user sessions and allowed a malicious user to access a user account with an old password.
CVE-2020-13299 1 Gitlab 1 Gitlab 2024-11-21 8.1 High
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. The revocation feature was not revoking all session tokens and one could re-use it to obtain a valid session.
CVE-2020-12690 2 Openstack, Redhat 2 Keystone, Openstack 2024-11-21 8.8 High
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access.