Total
222 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-15218 | 1 Combodo | 1 Itop | 2021-01-15 | 3.5 LOW | 6.8 MEDIUM |
| Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, admin pages are cached, so that their content is visible after deconnection by using the browser back button. This is fixed in versions 2.7.2 and 3.0.0. | |||||
| CVE-2020-15220 | 1 Combodo | 1 Itop | 2021-01-15 | 5.8 MEDIUM | 6.1 MEDIUM |
| Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, two cookies are created for the same session, which leads to a possibility to steal user session. This is fixed in versions 2.7.2 and 3.0.0. | |||||
| CVE-2016-20007 | 1 Rest\/json Project | 1 Rest\/json | 2021-01-07 | 5.0 MEDIUM | 7.5 HIGH |
| The REST/JSON project 7.x-1.x for Drupal allows session name guessing, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy. | |||||
| CVE-2020-29667 | 1 Lanatmservice | 1 M3 Atm Monitoring System | 2020-12-14 | 10.0 HIGH | 9.8 CRITICAL |
| In Lan ATMService M3 ATM Monitoring System 6.1.0, a remote attacker able to use a default cookie value, such as PHPSESSID=LANIT-IMANAGER, can achieve control over the system because of Insufficient Session Expiration. | |||||
| CVE-2020-25374 | 1 Cyberark | 1 Privileged Session Manager | 2020-12-02 | 2.1 LOW | 2.6 LOW |
| CyberArk Privileged Session Manager (PSM) 10.9.0.15 allows attackers to discover internal pathnames by reading an error popup message after two hours of idle time. | |||||
| CVE-2020-27422 | 1 Anuko | 1 Time Tracker | 2020-11-30 | 7.5 HIGH | 9.8 CRITICAL |
| In Anuko Time Tracker v1.19.23.5311, the password reset link emailed to the user doesn't expire once used, allowing an attacker to use the same link to takeover the account. | |||||
| CVE-2020-23136 | 1 Microweber | 1 Microweber | 2020-11-20 | 2.1 LOW | 5.5 MEDIUM |
| Microweber v1.1.18 is affected by no session expiry after log-out. | |||||
| CVE-2020-23140 | 1 Microweber | 1 Microweber | 2020-11-20 | 5.8 MEDIUM | 8.1 HIGH |
| Microweber 1.1.18 is affected by insufficient session expiration. When changing passwords, both sessions for when a user changes email and old sessions in any other browser or device, the session does not expire and remains active. | |||||
| CVE-2020-15950 | 1 Immuta | 1 Immuta | 2020-11-12 | 6.8 MEDIUM | 8.8 HIGH |
| Immuta v2.8.2 is affected by improper session management: user sessions are not revoked upon logout. | |||||
| CVE-2016-11014 | 1 Netgear | 2 Jnr1010, Jnr1010 Firmware | 2020-11-10 | 7.5 HIGH | 9.8 CRITICAL |
| NETGEAR JNR1010 devices before 1.0.0.32 have Incorrect Access Control because the ok value of the auth cookie is a special case. | |||||
| CVE-2020-27739 | 1 Citadel | 1 Webcit | 2020-11-04 | 7.5 HIGH | 9.8 CRITICAL |
| A Weak Session Management vulnerability in Citadel WebCit through 926 allows unauthenticated remote attackers to hijack recently logged-in users' sessions. NOTE: this was reported to the vendor in a publicly archived "Multiple Security Vulnerabilities in WebCit 926" thread. | |||||
| CVE-2020-24713 | 1 Getgophish | 1 Gophish | 2020-10-30 | 5.0 MEDIUM | 7.5 HIGH |
| Gophish through 0.10.1 does not invalidate the gophish cookie upon logout. | |||||
| CVE-2020-4395 | 1 Ibm | 1 Security Access Manager Appliance | 2020-10-26 | 5.5 MEDIUM | 5.4 MEDIUM |
| IBM Security Access Manager Appliance 9.0.7 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 179358. | |||||
| CVE-2020-4780 | 1 Ibm | 1 Curam Social Program Management | 2020-10-26 | 5.0 MEDIUM | 5.3 MEDIUM |
| OOTB build scripts does not set the secure attribute on session cookie which may impact IBM Curam Social Program Management 7.0.9 and 7.0,10. The purpose of the 'secure' attribute is to prevent cookies from being observed by unauthorized parties. IBM X-Force ID: 189158. | |||||
| CVE-2020-6363 | 1 Sap | 1 Commerce Cloud | 2020-10-19 | 4.9 MEDIUM | 4.6 MEDIUM |
| SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, exposes several web applications that maintain sessions with a user. These sessions are established after the user has authenticated with username/passphrase credentials. The user can change their own passphrase, but this does not invalidate active sessions that the user may have with SAP Commerce Cloud web applications, which gives an attacker the opportunity to reuse old session credentials, resulting in Insufficient Session Expiration. | |||||
| CVE-2019-2386 | 1 Mongodb | 1 Mongodb | 2020-10-16 | 6.0 MEDIUM | 7.1 HIGH |
| After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions prior to 3.6.13; v3.4 versions prior to 3.4.22. | |||||
| CVE-2019-19199 | 1 Reddoxx | 1 Maildepot | 2020-10-13 | 5.8 MEDIUM | 7.4 HIGH |
| REDDOXX MailDepot 2032 SP2 2.2.1242 has Insufficient Session Expiration because tokens are not invalidated upon a logout. | |||||
| CVE-2019-6584 | 1 Siemens | 2 Logo\!8, Logo\!8 Firmware | 2020-09-28 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability has been identified in SIEMENS LOGO!8 (6ED1052-xyyxx-0BA8 FS:01 to FS:06 / Firmware version V1.80.xx and V1.81.xx), SIEMENS LOGO!8 (6ED1052-xyy08-0BA0 FS:01 / Firmware version < V1.82.02). The integrated webserver does not invalidate the Session ID upon user logout. An attacker that successfully extracted a valid Session ID is able to use it even after the user logs out. The security vulnerability could be exploited by an attacker in a privileged network position who is able to read the communication between the affected device and the user or by an attacker who is able to obtain valid Session IDs through other means. The user must invoke a session to the affected device. At the time of advisory publication no public exploitation of this security vulnerability was known. | |||||
| CVE-2020-13307 | 1 Gitlab | 1 Gitlab | 2020-09-18 | 6.0 MEDIUM | 4.7 MEDIUM |
| A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was not revoking current user sessions when 2 factor authentication was activated allowing a malicious user to maintain their access. | |||||
| CVE-2020-13302 | 1 Gitlab | 1 Gitlab | 2020-09-17 | 6.5 MEDIUM | 7.2 HIGH |
| A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Under certain conditions GitLab was not properly revoking user sessions and allowed a malicious user to access a user account with an old password. | |||||