Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-613
Total 222 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-41291 3 Ibm, Linux, Microsoft 4 Aix, Infosphere Information Server, Linux Kernel and 1 more 2022-10-08 N/A 6.5 MEDIUM
IBM InfoSphere Information Server 11.7 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 236699.
CVE-2022-24042 1 Siemens 8 Desigo Dxr2, Desigo Dxr2 Firmware, Desigo Pxc3 and 5 more 2022-10-05 6.4 MEDIUM 9.1 CRITICAL
A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The web application returns an AuthToken that does not expire at the defined auto logoff delay timeout. An attacker could be able to capture this token and re-use old session credentials or session IDs for authorization.
CVE-2020-4696 1 Ibm 1 Cloud Pak For Security 2022-09-30 4.0 MEDIUM 4.3 MEDIUM
IBM Cloud Pak for Security 1.3.0.1(CP4S) does not invalidate session after logout which could allow an authenticated user to obtain sensitive information from the previous session. IBM X-Force ID: 186789.
CVE-2020-15774 1 Gradle 1 Enterprise 2022-09-29 4.6 MEDIUM 6.8 MEDIUM
An issue was discovered in Gradle Enterprise 2018.5 - 2020.2.4. An attacker with physical access to the browser of a user who has recently logged in to Gradle Enterprise and since closed their browser could reopen their browser to access Gradle Enterprise as that user.
CVE-2019-5641 1 Rapid7 1 Insightvm 2022-09-23 N/A 5.3 MEDIUM
Rapid7 InsightVM suffers from an information exposure issue whereby, when the user's session has ended due to inactivity, an attacker can use the Inspect Element browser feature to remove the login panel and view the details available in the last webpage visited by previous user
CVE-2022-2888 1 Octoprint 1 Octoprint 2022-09-22 N/A 4.4 MEDIUM
If an attacker comes into the possession of a victim's OctoPrint session cookie through whatever means, the attacker can use this cookie to authenticate as long as the victim's account exists.
CVE-2022-31677 1 Vmware 1 Pinniped 2022-09-07 N/A 5.4 MEDIUM
An Insufficient Session Expiration issue was discovered in the Pinniped Supervisor (before v0.19.0). A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially use their access token to continue their session beyond what proper use of their refresh token might allow.
CVE-2022-23669 1 Arubanetworks 1 Clearpass Policy Manager 2022-09-01 6.5 MEDIUM 8.8 HIGH
A remote authorization bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability.
CVE-2018-1195 1 Cloudfoundry 3 Capi-release, Cf-deployment, Cf-release 2022-08-29 6.5 MEDIUM 8.8 HIGH
In Cloud Controller versions prior to 1.46.0, cf-deployment versions prior to 1.3.0, and cf-release versions prior to 283, Cloud Controller accepts refresh tokens for authentication where access tokens are expected. This exposes a vulnerability where a refresh token that would otherwise be insufficient to obtain an access token, either due to lack of client credentials or revocation, would allow authentication.
CVE-2022-34624 1 Mealie 1 Mealie 2022-08-23 N/A 5.9 MEDIUM
Mealie1.0.0beta3 does not terminate download tokens after a user logs out, allowing attackers to perform a man-in-the-middle attack via a crafted GET request.
CVE-2022-2820 1 Namelessmc 1 Nameless 2022-08-16 N/A 8.2 HIGH
Improper Access Control in GitHub repository namelessmc/nameless prior to v2.0.2.
CVE-2022-2713 1 Agentejo 1 Cockpit 2022-08-12 N/A 9.8 CRITICAL
Insufficient Session Expiration in GitHub repository cockpit-hq/cockpit prior to 2.2.0.
CVE-2022-35728 1 F5 12 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 9 more 2022-08-10 N/A 9.8 CRITICAL
In BIG-IP Versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and all versions of 13.1.x, and BIG-IQ version 8.x before 8.2.0 and all versions of 7.x, an authenticated user's iControl REST token may remain valid for a limited time after logging out from the Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2021-25979 1 Apostrophecms 1 Apostrophecms 2022-08-10 7.5 HIGH 9.8 CRITICAL
Apostrophe CMS versions prior to 3.3.1 did not invalidate existing login sessions when disabling a user account or changing the password, creating a situation in which a device compromised by a third party could not be locked out by those means. As a mitigation for older releases the user account in question can be archived (3.x) or moved to the trash (2.x and earlier) which does disable the existing session.
CVE-2022-31145 1 Flyte 1 Flyteadmin 2022-07-20 N/A 6.5 MEDIUM
FlyteAdmin is the control plane for Flyte responsible for managing entities and administering workflow executions. In versions 1.1.30 and prior, authenticated users using an external identity provider can continue to use Access Tokens and ID Tokens even after they expire. Users who use FlyteAdmin as the OAuth2 Authorization Server are unaffected by this issue. A patch is available on the `master` branch of the repository. As a workaround, rotating signing keys immediately will invalidate all open sessions and force all users to attempt to obtain new tokens. Those who use this workaround should continue to rotate keys until FlyteAdmin has been upgraded and hide FlyteAdmin deployment ingress URL from the internet.
CVE-2022-33137 1 Siemens 12 Simatic Mv540 H, Simatic Mv540 H Firmware, Simatic Mv540 S and 9 more 2022-07-15 6.0 MEDIUM 8.0 HIGH
A vulnerability has been identified in SIMATIC MV540 H (All versions < V3.3), SIMATIC MV540 S (All versions < V3.3), SIMATIC MV550 H (All versions < V3.3), SIMATIC MV550 S (All versions < V3.3), SIMATIC MV560 U (All versions < V3.3), SIMATIC MV560 X (All versions < V3.3). The web session management of affected devices does not invalidate session ids in certain logout scenarios. This could allow an authenticated remote attacker to hijack other users' sessions.
CVE-2022-2306 1 Heroiclabs 1 Nakama 2022-07-14 5.0 MEDIUM 7.5 HIGH
Old session tokens can be used to authenticate to the application and send authenticated requests.
CVE-2022-22317 5 Hp, Ibm, Linux and 2 more 7 Hp-ux, Aix, Curam Social Program Management and 4 more 2022-06-28 7.5 HIGH 9.8 CRITICAL
IBM Curam Social Program Management 8.0.0 and 8.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 218281.
CVE-2022-22318 5 Hp, Ibm, Linux and 2 more 7 Hp-ux, Aix, Curam Social Program Management and 4 more 2022-06-28 6.5 MEDIUM 9.8 CRITICAL
IBM Curam Social Program Management 8.0.0 and 8.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.
CVE-2022-31050 1 Typo3 1 Typo3 2022-06-23 6.5 MEDIUM 7.2 HIGH
TYPO3 is an open source web content management system. Prior to versions 9.5.34 ELTS, 10.4.29, and 11.5.11, Admin Tool sessions initiated via the TYPO3 backend user interface had not been revoked even if the corresponding user account was degraded to lower permissions or disabled completely. This way, sessions in the admin tool theoretically could have been prolonged without any limit. TYPO3 versions 9.5.34 ELTS, 10.4.29, and 11.5.11 contain a fix for the problem.