Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-613
Total 222 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-33322 1 Liferay 2 Dxp, Liferay Portal 2021-08-11 5.0 MEDIUM 7.5 HIGH
In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user’s password via the old password reset token.
CVE-2021-20431 3 Ibm, Linux, Microsoft 3 I2 Analysts Notebook, Linux Kernel, Windows 2021-08-04 4.3 MEDIUM 6.5 MEDIUM
IBM i2 Analyst's Notebook Premium 9.2.0, 9.2.1, and 9.2.2 does not invalidate session after logout which could allow an an attacker to obtain sensitive information from the system. IBM X-Force ID: 196342.
CVE-2020-4284 1 Ibm 1 Security Information Queue 2021-07-21 5.0 MEDIUM 5.3 MEDIUM
IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could disclose sensitive information to an unauthorized user due to insufficient timeout functionality in the Web UI. IBM X-Force ID: 176207.
CVE-2020-12690 1 Openstack 1 Keystone 2021-07-12 6.5 MEDIUM 8.8 HIGH
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access.
CVE-2021-20378 1 Ibm 1 Guardium Data Encryption 2021-07-09 6.5 MEDIUM 8.8 HIGH
IBM Guardium Data Encryption (GDE) 3.0.0.2 and 4.0.0.4 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 195709.
CVE-2021-26037 1 Joomla 1 Joomla\! 2021-07-09 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in Joomla! 2.5.0 through 3.9.27. CMS functions did not properly termine existing user sessions when a user's password was changed or the user was blocked.
CVE-2021-22221 1 Gitlab 1 Gitlab 2021-06-15 6.4 MEDIUM 6.5 MEDIUM
An issue has been discovered in GitLab affecting all versions starting from 12.9.0 before 13.10.5, all versions starting from 13.11.0 before 13.11.5, all versions starting from 13.12.0 before 13.12.2. Insufficient expired password validation in various operations allow user to maintain limited access after their password expired
CVE-2021-22136 1 Elastic 1 Kibana 2021-05-21 3.6 LOW 3.5 LOW
In Kibana versions before 7.12.0 and 6.8.15 a flaw in the session timeout was discovered where the xpack.security.session.idleTimeout setting is not being respected. This was caused by background polling activities unintentionally extending authenticated users sessions, preventing a user session from timing out.
CVE-2021-31408 1 Vaadin 2 Flow, Vaadin 2021-05-04 3.3 LOW 7.1 HIGH
Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.
CVE-2019-3867 1 Redhat 1 Quay 2021-03-25 4.4 MEDIUM 4.1 MEDIUM
A vulnerability was found in the Quay web application. Sessions in the Quay web application never expire. An attacker, able to gain access to a session, could use it to control or delete a user's container repository. Red Hat Quay 2 and 3 are vulnerable to this issue.
CVE-2021-26921 1 Linuxfoundation 1 Argo Continuous Delivery 2021-03-22 5.0 MEDIUM 6.5 MEDIUM
In util/session/sessionmanager.go in Argo CD before 1.8.4, tokens continue to work even when the user account is disabled.
CVE-2020-35358 1 Domainmod 1 Domainmod 2021-03-18 7.5 HIGH 9.8 CRITICAL
DomainMOD domainmod-v4.15.0 is affected by an insufficient session expiration vulnerability. On changing a password, both sessions using the changed password and old sessions in any other browser or device do not expire and remain active. Such flaws frequently give attackers unauthorized access to some system data or functionality.
CVE-2021-3311 1 Octobercms 1 October 2021-03-15 6.8 MEDIUM 9.8 CRITICAL
An issue was discovered in October through build 471. It reactivates an old session ID (which had been invalid after a logout) once a new login occurs. NOTE: this violates the intended Auth/Manager.php authentication behavior but, admittedly, is only relevant if an old session ID is known to an attacker.
CVE-2009-20001 1 Mantisbt 1 Mantisbt 2021-03-11 5.5 MEDIUM 8.1 HIGH
An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login as them.
CVE-2021-21031 1 Magento 1 Magento 2021-02-16 7.5 HIGH 5.6 MEDIUM
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation.
CVE-2021-21032 1 Magento 1 Magento 2021-02-16 7.5 HIGH 5.6 MEDIUM
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation of this issue could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation.
CVE-2020-4995 1 Ibm 1 Security Identity Governance And Intelligence 2021-02-10 5.0 MEDIUM 5.3 MEDIUM
IBM Security Identity Governance and Intelligence 5.2.6 does not invalidate session after logout which could allow a user to obtain sensitive information from another users' session. IBM X-Force ID: 192912.
CVE-2020-6649 1 Fortinet 1 Fortiisolator 2021-02-10 7.5 HIGH 9.8 CRITICAL
An insufficient session expiration vulnerability in FortiNet's FortiIsolator version 2.0.1 and below may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID (via other, hypothetical attacks)
CVE-2020-14247 1 Hcltechsw 1 Onetest Performance 2021-02-09 6.4 MEDIUM 6.5 MEDIUM
HCL OneTest Performance V9.5, V10.0, V10.1 contains an inadequate session timeout, which could allow an attacker time to guess and use a valid session ID.
CVE-2021-3183 1 Files 1 Fat Client 2021-01-27 5.0 MEDIUM 7.5 HIGH
Files.com Fat Client 3.3.6 allows authentication bypass because the client continues to have access after a logout and a removal of a login profile.