Total
222 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-41291 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2022-10-08 | N/A | 6.5 MEDIUM |
IBM InfoSphere Information Server 11.7 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 236699. | |||||
CVE-2022-24042 | 1 Siemens | 8 Desigo Dxr2, Desigo Dxr2 Firmware, Desigo Pxc3 and 5 more | 2022-10-05 | 6.4 MEDIUM | 9.1 CRITICAL |
A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The web application returns an AuthToken that does not expire at the defined auto logoff delay timeout. An attacker could be able to capture this token and re-use old session credentials or session IDs for authorization. | |||||
CVE-2020-4696 | 1 Ibm | 1 Cloud Pak For Security | 2022-09-30 | 4.0 MEDIUM | 4.3 MEDIUM |
IBM Cloud Pak for Security 1.3.0.1(CP4S) does not invalidate session after logout which could allow an authenticated user to obtain sensitive information from the previous session. IBM X-Force ID: 186789. | |||||
CVE-2020-15774 | 1 Gradle | 1 Enterprise | 2022-09-29 | 4.6 MEDIUM | 6.8 MEDIUM |
An issue was discovered in Gradle Enterprise 2018.5 - 2020.2.4. An attacker with physical access to the browser of a user who has recently logged in to Gradle Enterprise and since closed their browser could reopen their browser to access Gradle Enterprise as that user. | |||||
CVE-2019-5641 | 1 Rapid7 | 1 Insightvm | 2022-09-23 | N/A | 5.3 MEDIUM |
Rapid7 InsightVM suffers from an information exposure issue whereby, when the user's session has ended due to inactivity, an attacker can use the Inspect Element browser feature to remove the login panel and view the details available in the last webpage visited by previous user | |||||
CVE-2022-2888 | 1 Octoprint | 1 Octoprint | 2022-09-22 | N/A | 4.4 MEDIUM |
If an attacker comes into the possession of a victim's OctoPrint session cookie through whatever means, the attacker can use this cookie to authenticate as long as the victim's account exists. | |||||
CVE-2022-31677 | 1 Vmware | 1 Pinniped | 2022-09-07 | N/A | 5.4 MEDIUM |
An Insufficient Session Expiration issue was discovered in the Pinniped Supervisor (before v0.19.0). A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially use their access token to continue their session beyond what proper use of their refresh token might allow. | |||||
CVE-2022-23669 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2022-09-01 | 6.5 MEDIUM | 8.8 HIGH |
A remote authorization bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability. | |||||
CVE-2018-1195 | 1 Cloudfoundry | 3 Capi-release, Cf-deployment, Cf-release | 2022-08-29 | 6.5 MEDIUM | 8.8 HIGH |
In Cloud Controller versions prior to 1.46.0, cf-deployment versions prior to 1.3.0, and cf-release versions prior to 283, Cloud Controller accepts refresh tokens for authentication where access tokens are expected. This exposes a vulnerability where a refresh token that would otherwise be insufficient to obtain an access token, either due to lack of client credentials or revocation, would allow authentication. | |||||
CVE-2022-34624 | 1 Mealie | 1 Mealie | 2022-08-23 | N/A | 5.9 MEDIUM |
Mealie1.0.0beta3 does not terminate download tokens after a user logs out, allowing attackers to perform a man-in-the-middle attack via a crafted GET request. | |||||
CVE-2022-2820 | 1 Namelessmc | 1 Nameless | 2022-08-16 | N/A | 8.2 HIGH |
Improper Access Control in GitHub repository namelessmc/nameless prior to v2.0.2. | |||||
CVE-2022-2713 | 1 Agentejo | 1 Cockpit | 2022-08-12 | N/A | 9.8 CRITICAL |
Insufficient Session Expiration in GitHub repository cockpit-hq/cockpit prior to 2.2.0. | |||||
CVE-2022-35728 | 1 F5 | 12 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 9 more | 2022-08-10 | N/A | 9.8 CRITICAL |
In BIG-IP Versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and all versions of 13.1.x, and BIG-IQ version 8.x before 8.2.0 and all versions of 7.x, an authenticated user's iControl REST token may remain valid for a limited time after logging out from the Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
CVE-2021-25979 | 1 Apostrophecms | 1 Apostrophecms | 2022-08-10 | 7.5 HIGH | 9.8 CRITICAL |
Apostrophe CMS versions prior to 3.3.1 did not invalidate existing login sessions when disabling a user account or changing the password, creating a situation in which a device compromised by a third party could not be locked out by those means. As a mitigation for older releases the user account in question can be archived (3.x) or moved to the trash (2.x and earlier) which does disable the existing session. | |||||
CVE-2022-31145 | 1 Flyte | 1 Flyteadmin | 2022-07-20 | N/A | 6.5 MEDIUM |
FlyteAdmin is the control plane for Flyte responsible for managing entities and administering workflow executions. In versions 1.1.30 and prior, authenticated users using an external identity provider can continue to use Access Tokens and ID Tokens even after they expire. Users who use FlyteAdmin as the OAuth2 Authorization Server are unaffected by this issue. A patch is available on the `master` branch of the repository. As a workaround, rotating signing keys immediately will invalidate all open sessions and force all users to attempt to obtain new tokens. Those who use this workaround should continue to rotate keys until FlyteAdmin has been upgraded and hide FlyteAdmin deployment ingress URL from the internet. | |||||
CVE-2022-33137 | 1 Siemens | 12 Simatic Mv540 H, Simatic Mv540 H Firmware, Simatic Mv540 S and 9 more | 2022-07-15 | 6.0 MEDIUM | 8.0 HIGH |
A vulnerability has been identified in SIMATIC MV540 H (All versions < V3.3), SIMATIC MV540 S (All versions < V3.3), SIMATIC MV550 H (All versions < V3.3), SIMATIC MV550 S (All versions < V3.3), SIMATIC MV560 U (All versions < V3.3), SIMATIC MV560 X (All versions < V3.3). The web session management of affected devices does not invalidate session ids in certain logout scenarios. This could allow an authenticated remote attacker to hijack other users' sessions. | |||||
CVE-2022-2306 | 1 Heroiclabs | 1 Nakama | 2022-07-14 | 5.0 MEDIUM | 7.5 HIGH |
Old session tokens can be used to authenticate to the application and send authenticated requests. | |||||
CVE-2022-22317 | 5 Hp, Ibm, Linux and 2 more | 7 Hp-ux, Aix, Curam Social Program Management and 4 more | 2022-06-28 | 7.5 HIGH | 9.8 CRITICAL |
IBM Curam Social Program Management 8.0.0 and 8.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 218281. | |||||
CVE-2022-22318 | 5 Hp, Ibm, Linux and 2 more | 7 Hp-ux, Aix, Curam Social Program Management and 4 more | 2022-06-28 | 6.5 MEDIUM | 9.8 CRITICAL |
IBM Curam Social Program Management 8.0.0 and 8.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. | |||||
CVE-2022-31050 | 1 Typo3 | 1 Typo3 | 2022-06-23 | 6.5 MEDIUM | 7.2 HIGH |
TYPO3 is an open source web content management system. Prior to versions 9.5.34 ELTS, 10.4.29, and 11.5.11, Admin Tool sessions initiated via the TYPO3 backend user interface had not been revoked even if the corresponding user account was degraded to lower permissions or disabled completely. This way, sessions in the admin tool theoretically could have been prolonged without any limit. TYPO3 versions 9.5.34 ELTS, 10.4.29, and 11.5.11 contain a fix for the problem. |