Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-613
Total 222 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-14007 1 Prominent 2 Multiflex M10a Controller, Multiflex M10a Controller Firmware 2019-10-09 6.8 MEDIUM 5.6 MEDIUM
An Insufficient Session Expiration issue was discovered in ProMinent MultiFLEX M10a Controller web interface. The user's session is available for an extended period beyond the last activity, allowing an attacker to reuse an old session for authorization.
CVE-2017-12159 2 Keycloak, Redhat 3 Keycloak, Enterprise Linux Server, Single Sign On 2019-10-09 5.0 MEDIUM 7.5 HIGH
It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.
CVE-2016-0234 1 Ibm 1 Openpages Grc Platform 2019-10-09 2.1 LOW 3.3 LOW
IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 could allow a local user to obtain sensitive information when a previous user has logged out of the system but neglected to close their browser. IBM X-Force ID: 110303.
CVE-2018-14345 1 Sddm Project 1 Sddm 2019-10-02 6.0 MEDIUM 7.5 HIGH
An issue was discovered in SDDM through 0.17.0. If configured with ReuseSession=true, the password is not checked for users with an already existing session. Any user with access to the system D-Bus can therefore unlock any graphical session. This is related to daemon/Display.cpp and helper/backend/PamBackend.cpp.
CVE-2018-6634 3 Canonical, Microsoft, Parsecgaming 3 Ubuntu Linux, Windows, Parsec 2019-10-02 7.5 HIGH 9.8 CRITICAL
A vulnerability in Parsec Windows 142-0 and Parsec 'Linux Ubuntu 16.04 LTS Desktop' Build 142-1 allows unauthorized users to maintain access to an account.
CVE-2017-11667 1 Openproject 1 Openproject 2019-10-02 6.8 MEDIUM 8.1 HIGH
OpenProject before 6.1.6 and 7.x before 7.0.3 mishandles session expiry, which allows remote attackers to perform APIv3 requests indefinitely by leveraging a hijacked session.
CVE-2017-1000131 1 Mahara 1 Mahara 2019-10-02 4.0 MEDIUM 6.5 MEDIUM
Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before 16.04.2 are vulnerable to users staying logged in to their Mahara account even when they have been logged out of Moodle (when using MNet) as Mahara did not properly implement one of the MNet SSO API functions.
CVE-2017-12867 1 Simplesamlphp 1 Simplesamlphp 2019-10-02 4.3 MEDIUM 5.9 MEDIUM
The SimpleSAML_Auth_TimeLimitedToken class in SimpleSAMLphp 1.14.14 and earlier allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset.
CVE-2018-21018 1 Joinmastodon 1 Mastodon 2019-09-23 7.5 HIGH 9.8 CRITICAL
Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.
CVE-2018-1000814 1 Aiohttp-session Project 1 Aiohttp-session 2019-09-19 4.0 MEDIUM 6.5 MEDIUM
aio-libs aiohttp-session version 2.6.0 and earlier contains a Other/Unknown vulnerability in EncryptedCookieStorage and NaClCookieStorage that can result in Non-expiring sessions / Infinite lifespan. This attack appear to be exploitable via Recreation of a cookie post-expiry with the same value.
CVE-2019-16133 1 Weaver 1 Eteams Oa 2019-09-10 4.0 MEDIUM 6.5 MEDIUM
An issue was discovered in eteams OA v4.0.34. Because the session is not strictly checked, the account names and passwords of all employees in the company can be obtained by an ordinary account. Specifically, the attacker sends a jsessionid value for URIs under app/profile/summary/.
CVE-2019-7215 1 Progress 1 Sitefinity 2019-06-10 6.4 MEDIUM 6.5 MEDIUM
Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. It instead tries to overwrite the cookie in the browser, but it remains valid on the server side. This means the cookie can be reused to maintain access to the account, even if the account credentials and permissions are changed.
CVE-2018-11386 2 Debian, Sensiolabs 2 Debian Linux, Symfony 2019-03-29 4.3 MEDIUM 5.9 MEDIUM
An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources.
CVE-2018-7758 1 Schneider-electric 46 Micom P141, Micom P141 Firmware, Micom P142 and 43 more 2018-05-29 3.3 LOW 6.5 MEDIUM
A denial of service vulnerability exists in Schneider Electric's MiCOM Px4x (P540 range excluded) with legacy Ethernet board, MiCOM P540D Range with Legacy Ethernet Board, and MiCOM Px4x Rejuvenated could lose network communication in case of TCP/IP open requests on port 20000 (DNP3oE) if an older TCI/IP session is still open with identical IP address and port number.
CVE-2018-5438 1 Philips 1 Intellispace Cardiovascular 2018-04-20 3.3 LOW 6.3 MEDIUM
Philips ISCV application prior to version 2.3.0 has an insufficient session expiration vulnerability where an attacker could reuse the session of a previously logged in user. This vulnerability exists when using ISCV together with an Electronic Medical Record (EMR) system, where ISCV is in KIOSK mode for multiple users and using Windows authentication. This may allow an attacker to gain unauthorized access to patient health information and potentially modify this information.
CVE-2017-15653 1 Asus 1 Asuswrt 2018-02-27 6.5 MEDIUM 8.8 HIGH
Improper administrator IP validation after his login in the HTTPd server in all current versions (<= 3.0.0.4.380.7743) of Asus asuswrt allows an unauthorized user to execute any action knowing administrator session token by using a specific User-Agent string.
CVE-2017-1693 1 Ibm 1 Integration Bus 2018-02-05 6.8 MEDIUM 5.6 MEDIUM
IBM Integration Bus 9.0 and 10.0 could allow an attacker that has captured a valid session id to hijack another users session during a small timeframe before the session times out. IBM X-Force ID: 134164.
CVE-2017-6145 1 F5 10 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 7 more 2017-11-15 7.5 HIGH 7.3 HIGH
iControl REST in F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, PEM, and WebSafe 12.0.0 through 12.1.2 and 13.0.0 includes a service to convert authorization BIGIPAuthCookie cookies to X-F5-Auth-Token tokens. This service does not properly re-validate cookies when making that conversion, allowing once-valid but now expired cookies to be converted to valid tokens.
CVE-2017-1000136 1 Mahara 1 Mahara 2017-11-15 4.3 MEDIUM 6.5 MEDIUM
Mahara 1.8 before 1.8.6 and 1.9 before 1.9.4 and 1.10 before 1.10.1 and 15.04 before 15.04.0 are vulnerable to old sessions not being invalidated after a password change.
CVE-2017-1000135 1 Mahara 1 Mahara 2017-11-15 4.0 MEDIUM 6.5 MEDIUM
Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable as logged-in users can stay logged in after the institution they belong to is suspended.