Total
331 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-48926 | 1 Umbraco | 1 Umbraco Cms | 2024-10-25 | N/A | 3.1 LOW |
| Umbraco, a free and open source .NET content management system, has an insufficient session expiration issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. The Backoffice displays the logout page with a session timeout message before the server session has fully expired, causing users to believe they have been logged out approximately 30 seconds before they actually are. Versions 13.5.2, 10.8,7, and 8.18.15 contain a patch for the issue. | |||||
| CVE-2024-25718 | 1 Dropbox | 1 Samly | 2024-10-21 | N/A | 9.8 CRITICAL |
| In the Samly package before 1.4.0 for Elixir, Samly.State.Store.get_assertion/3 can return an expired session, which interferes with access control because Samly.AuthHandler uses a cached session and does not replace it, even after expiry. | |||||
| CVE-2024-45462 | 1 Apache | 1 Cloudstack | 2024-10-17 | N/A | 7.1 HIGH |
| The logout operation in the CloudStack web interface does not expire the user session completely which is valid until expiry by time or restart of the backend service. An attacker that has access to a user's browser can use an unexpired session to gain access to resources owned by the logged out user account. This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1. Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue. | |||||
| CVE-2021-39113 | 1 Atlassian | 4 Data Center, Jira, Jira Data Center and 1 more | 2024-10-11 | 5.0 MEDIUM | 7.5 HIGH |
| Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions are before version 8.13.9, and from version 8.14.0 before 8.18.0. | |||||
| CVE-2023-31065 | 1 Apache | 1 Inlong | 2024-10-09 | N/A | 9.1 CRITICAL |
| Insufficient Session Expiration vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0. An old session can be used by an attacker even after the user has been deleted or the password has been changed. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7836 https://github.com/apache/inlong/pull/7836 , https://github.com/apache/inlong/pull/7884 https://github.com/apache/inlong/pull/7884 to solve it. | |||||
| CVE-2024-23586 | 1 Hcltech | 2 Domino, Hcl Nomad | 2024-10-07 | N/A | 7.5 HIGH |
| HCL Nomad is susceptible to an insufficient session expiration vulnerability. Under certain circumstances, an unauthenticated attacker could obtain old session information. | |||||
| CVE-2024-8888 | 1 Circutor | 2 Q-smt, Q-smt Firmware | 2024-10-01 | N/A | 7.5 HIGH |
| An attacker with access to the network where CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could steal the tokens used on the web, since these have no expiration date to access the web application without restrictions. Token theft can originate from different methods such as network captures, locally stored web information, etc. | |||||
| CVE-2022-38382 | 1 Ibm | 2 Cloud Pak For Security, Qradar Suite | 2024-09-21 | N/A | 4.1 MEDIUM |
| IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Suite Software 1.10.12.0 through 1.10.23.0 does not invalidate session after logout which could allow another authenticated user to obtain sensitive information. IBM X-Force ID: 233672. | |||||
| CVE-2024-38315 | 1 Ibm | 1 Aspera Shares | 2024-09-20 | N/A | 6.5 MEDIUM |
| IBM Aspera Shares 1.0 through 1.10.0 PL3 does not invalidate session after a password reset which could allow an authenticated user to impersonate another user on the system. | |||||
| CVE-2019-5638 | 1 Rapid7 | 1 Nexpose | 2024-09-16 | 6.8 MEDIUM | N/A |
| Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user account's current session is still valid after the password change, potentially allowing the attacker who originally compromised the credential to remain logged in and able to cause further damage. | |||||
| CVE-2023-51772 | 1 Oneidentity | 1 Password Manager | 2024-09-09 | N/A | 8.8 HIGH |
| One Identity Password Manager before 5.13.1 allows Kiosk Escape. This product enables users to reset their Active Directory passwords on the login screen of a Windows client. It launches a Chromium based browser in Kiosk mode to provide the reset functionality. The escape sequence is: wait for a session timeout, click on the Help icon, observe that there is a browser window for the One Identity website, navigate to any website that offers file upload, navigate to cmd.exe from the file explorer window, and launch cmd.exe as NT AUTHORITY\SYSTEM. | |||||
| CVE-2022-45862 | 1 Fortinet | 4 Fortios, Fortipam, Fortiproxy and 1 more | 2024-08-22 | N/A | 8.8 HIGH |
| An insufficient session expiration vulnerability [CWE-613] vulnerability in FortiOS 7.2.5 and below, 7.0 all versions, 6.4 all versions; FortiProxy 7.2 all versions, 7.0 all versions; FortiPAM 1.3 all versions, 1.2 all versions, 1.1 all versions, 1.0 all versions; FortiSwitchManager 7.2.1 and below, 7.0 all versions GUI may allow attackers to re-use websessions after GUI logout, should they manage to acquire the required credentials. | |||||
| CVE-2024-39809 | 1 F5 | 1 Big-ip Next Central Manager | 2024-08-19 | N/A | 8.8 HIGH |
| The Central Manager user session refresh token does not expire when a user logs out. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | |||||
| CVE-2024-27782 | 1 Fortinet | 1 Fortiaiops | 2024-08-16 | N/A | 9.8 CRITICAL |
| Multiple insufficient session expiration vulnerabilities [CWE-613] in FortiAIOps version 2.0.0 may allow an attacker to re-use stolen old session tokens to perform unauthorized operations via crafted requests. | |||||
| CVE-2023-26288 | 1 Ibm | 1 Aspera Orchestrator | 2024-08-13 | N/A | 5.5 MEDIUM |
| IBM Aspera Orchestrator 4.0.1 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 248477. | |||||
| CVE-2024-41827 | 1 Jetbrains | 1 Teamcity | 2024-08-07 | N/A | 9.8 CRITICAL |
| In JetBrains TeamCity before 2024.07 access tokens could continue working after deletion or expiration | |||||
| CVE-2023-40025 | 1 Argoproj | 1 Argo Cd | 2024-08-07 | N/A | 7.1 HIGH |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting from version 2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages even if the token has already expired. The most straightforward scenario is when a user opens the terminal view and leaves it open for an extended period. This allows the user to view sensitive information even when they should have been logged out already. A patch for this vulnerability has been released in the following Argo CD versions: 2.6.14, 2.7.12 and 2.8.1. | |||||
| CVE-2021-26921 | 1 Argoproj | 1 Argo Cd | 2024-08-07 | 5.0 MEDIUM | 6.5 MEDIUM |
| In util/session/sessionmanager.go in Argo CD before 1.8.4, tokens continue to work even when the user account is disabled. | |||||
| CVE-2022-32759 | 1 Ibm | 3 Security Directory Integrator, Security Directory Server, Security Verify Access | 2024-08-02 | N/A | 7.5 HIGH |
| IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 uses insufficient session expiration which could allow an unauthorized user to obtain sensitive information. IBM X-Force ID: 228565. | |||||
| CVE-2022-48317 | 1 Checkmk | 1 Checkmk | 2024-07-23 | N/A | 9.8 CRITICAL |
| Expired sessions were not securely terminated in the RestAPI for Tribe29's Checkmk <= 2.1.0p10 and Checkmk <= 2.0.0p28 allowing an attacker to use expired session tokens when communicating with the RestAPI. | |||||