Total
222 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-22371 | 3 Ibm, Linux, Microsoft | 4 Aix, Sterling B2b Integrator, Linux Kernel and 1 more | 2023-01-10 | N/A | 6.5 MEDIUM |
| IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 221195. | |||||
| CVE-2021-30943 | 1 Apple | 4 Ipados, Iphone Os, Macos and 1 more | 2023-01-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue in the handling of group membership was resolved with improved logic. This issue is fixed in iOS 15.2 and iPadOS 15.2, watchOS 8.3, macOS Monterey 12.1. A malicious user may be able to leave a messages group but continue to receive messages in that group. | |||||
| CVE-2022-47406 | 1 Change Password For Frontend Users Project | 1 Change Password For Frontend Users | 2022-12-19 | N/A | 9.8 CRITICAL |
| An issue was discovered in the fe_change_pwd (aka Change password for frontend users) extension before 2.0.5, and 3.x before 3.0.3, for TYPO3. The extension fails to revoke existing sessions for the current user when the password has been changed. | |||||
| CVE-2022-23502 | 1 Typo3 | 1 Typo3 | 2022-12-16 | N/A | 5.4 MEDIUM |
| TYPO3 is an open source PHP based web content management system. In versions prior to 10.4.33, 11.5.20, and 12.1.1, When users reset their password using the corresponding password recovery functionality, existing sessions for that particular user account were not revoked. This applied to both frontend user sessions and backend user sessions. This issue is patched in versions 10.4.33, 11.5.20, 12.1.1. | |||||
| CVE-2016-8712 | 1 Moxa | 2 Awk-3131a, Awk-3131a Firmware | 2022-12-13 | 4.3 MEDIUM | 8.1 HIGH |
| An exploitable nonce reuse vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless AP running firmware 1.1. The device uses one nonce for all session authentication requests and only changes the nonce if the web application has been idle for 300 seconds. | |||||
| CVE-2019-4072 | 1 Ibm | 2 Spectrum Control, Tivoli Storage Productivity Center | 2022-12-09 | 6.5 MEDIUM | 6.3 MEDIUM |
| IBM Tivoli Storage Productivity Center (IBM Spectrum Control Standard Edition 5.2.1 through 5.2.17) allows users to remain idle within the application even when a user has logged out. Utilizing the application back button users can remain logged in as the current user for a short period of time, therefore users are presented with information for Spectrum Control Application. IBM X-Force ID: 157064. | |||||
| CVE-2022-36179 | 1 Fusiondirectory | 1 Fusiondirectory | 2022-11-28 | N/A | 9.8 CRITICAL |
| Fusiondirectory 1.3 suffers from Improper Session Handling. | |||||
| CVE-2022-40228 | 1 Ibm | 1 Datapower Gateway | 2022-11-25 | N/A | 5.4 MEDIUM |
| IBM DataPower Gateway 10.0.3.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.9, 2018.4.1.0 through 2018.4.1.22, and 10.5.0.0 through 10.5.0.2 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235527. | |||||
| CVE-2022-4070 | 1 Librenms | 1 Librenms | 2022-11-21 | N/A | 9.8 CRITICAL |
| Insufficient Session Expiration in GitHub repository librenms/librenms prior to 22.10.0. | |||||
| CVE-2022-3362 | 1 Ikus-soft | 1 Rdiffweb | 2022-11-17 | N/A | 9.8 CRITICAL |
| Insufficient Session Expiration in GitHub repository ikus060/rdiffweb prior to 2.5.0. | |||||
| CVE-2022-3867 | 1 Hashicorp | 1 Nomad | 2022-11-15 | N/A | 4.3 MEDIUM |
| HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream subscribers using a token with TTL receive updates until token garbage is collected. Fixed in 1.4.2. | |||||
| CVE-2022-2783 | 1 Octopus | 1 Octopus Server | 2022-11-08 | N/A | 5.3 MEDIUM |
| In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token | |||||
| CVE-2022-40230 | 1 Ibm | 1 Mq Appliance | 2022-11-04 | N/A | 6.5 MEDIUM |
| "IBM MQ Appliance 9.2 CD, 9.2 LTS, 9.3 CD, and LTS 9.3 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235532." | |||||
| CVE-2022-39234 | 1 Glpi-project | 1 Glpi | 2022-11-03 | N/A | 8.8 HIGH |
| GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Deleted/deactivated user could continue to use their account as long as its cookie is valid. This issue has been patched, please upgrade to version 10.0.4. There are currently no known workarounds. | |||||
| CVE-2022-2782 | 1 Octopus | 1 Octopus Server | 2022-10-28 | N/A | 9.1 CRITICAL |
| In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters. | |||||
| CVE-2020-13299 | 1 Gitlab | 1 Gitlab | 2022-10-27 | 5.5 MEDIUM | 8.1 HIGH |
| A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. The revocation feature was not revoking all session tokens and one could re-use it to obtain a valid session. | |||||
| CVE-2021-32923 | 1 Hashicorp | 1 Vault | 2022-10-25 | 5.8 MEDIUM | 7.4 HIGH |
| HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2. | |||||
| CVE-2019-7280 | 1 Primasystems | 1 Flexair | 2022-10-25 | 4.0 MEDIUM | 8.8 HIGH |
| Prima Systems FlexAir, Versions 2.3.38 and prior. The session-ID is of an insufficient length and can be exploited by brute force, which may allow a remote attacker to obtain a valid session and bypass authentication. | |||||
| CVE-2020-10709 | 1 Redhat | 1 Ansible Tower | 2022-10-21 | 3.6 LOW | 7.1 HIGH |
| A security flaw was found in Ansible Tower when requesting an OAuth2 token with an OAuth2 application. Ansible Tower uses the token to provide authentication. This flaw allows an attacker to obtain a refresh token that does not expire. The original token granted to the user still has access to Ansible Tower, which allows any user that can gain access to the token to be fully authenticated to Ansible Tower. This flaw affects Ansible Tower versions before 3.6.4 and Ansible Tower versions before 3.5.6. | |||||
| CVE-2022-41542 | 1 Devhubapp | 1 Devhub | 2022-10-19 | N/A | 5.4 MEDIUM |
| devhub 0.102.0 was discovered to contain a broken session control. | |||||