Total
331 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-4680 | 1 Zenml | 1 Zenml | 2024-07-19 | N/A | 8.8 HIGH |
| A vulnerability in zenml-io/zenml version 0.56.3 allows attackers to reuse old session credentials or session IDs due to insufficient session expiration. Specifically, the session does not expire after a password change, enabling an attacker to maintain access to a compromised account without the victim's ability to revoke this access. This issue was observed in a self-hosted ZenML deployment via Docker, where after changing the password from one browser, the session remained active and usable in another browser without requiring re-authentication. | |||||
| CVE-2024-5995 | 2024-06-17 | N/A | 8.8 HIGH | ||
| The notification emails sent by Soar Cloud HR Portal contain a link with a embedded session. The expiration of the session is not properly configured, remaining valid for more than 7 days and can be reused. | |||||
| CVE-2024-0942 | 1 Totolink | 2 N200re-v5, N200re-v5 Firmware | 2024-05-17 | N/A | 4.3 MEDIUM |
| A vulnerability was found in Totolink N200RE V5 9.3.5u.6255_B20211224. It has been classified as problematic. Affected is an unknown function of the file /cgi-bin/cstecgi.cgi. The manipulation leads to session expiration. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. VDB-252186 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-0943 | 1 Totolink | 2 N350rt, N350rt Firmware | 2024-05-17 | N/A | 5.3 MEDIUM |
| A vulnerability was found in Totolink N350RT 9.3.5u.6255. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /cgi-bin/cstecgi.cgi. The manipulation leads to session expiration. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252187. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-0944 | 1 Totolink | 2 T8, T8 Firmware | 2024-05-17 | N/A | 5.3 MEDIUM |
| A vulnerability was found in Totolink T8 4.1.5cu.833_20220905. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /cgi-bin/cstecgi.cgi. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252188. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-0350 | 1 Engineers Online Portal Project | 1 Engineers Online Portal | 2024-05-17 | N/A | 6.5 MEDIUM |
| A vulnerability was found in SourceCodester Engineers Online Portal 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. VDB-250118 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-0260 | 1 Engineers Online Portal Project | 1 Engineers Online Portal | 2024-05-17 | N/A | 7.5 HIGH |
| A vulnerability, which was classified as problematic, was found in SourceCodester Engineers Online Portal 1.0. Affected is an unknown function of the file change_password_teacher.php of the component Password Change. The manipulation leads to session expiration. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249816. | |||||
| CVE-2023-1854 | 1 Online Graduate Tracer System Project | 1 Online Graduate Tracer System | 2024-05-17 | N/A | 9.8 CRITICAL |
| A vulnerability, which was classified as problematic, was found in SourceCodester Online Graduate Tracer System 1.0. Affected is an unknown function of the file admin/. The manipulation leads to session expiration. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-224994 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-22403 | 1 Nextcloud | 1 Nextcloud Server | 2024-05-01 | N/A | 3.7 LOW |
| Nextcloud server is a self hosted personal cloud system. In affected versions OAuth codes did not expire. When an attacker would get access to an authorization code they could authenticate at any time using the code. As of version 28.0.0 OAuth codes are invalidated after 10 minutes and will no longer be authenticated. To exploit this vulnerability an attacker would need to intercept an OAuth code from a user session. It is recommended that the Nextcloud Server is upgraded to 28.0.0. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-4320 | 1 Redhat | 1 Satellite | 2024-04-25 | N/A | 7.5 HIGH |
| An arithmetic overflow flaw was found in Satellite when creating a new personal access token. This flaw allows an attacker who uses this arithmetic overflow to create personal access tokens that are valid indefinitely, resulting in damage to the system's integrity. | |||||
| CVE-2023-45187 | 1 Ibm | 1 Engineering Lifecycle Optimization | 2024-02-15 | N/A | 8.8 HIGH |
| IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 268749. | |||||
| CVE-2022-34624 | 1 Mealie | 1 Mealie | 2024-02-14 | N/A | 5.9 MEDIUM |
| Mealie1.0.0beta3 does not terminate download tokens after a user logs out, allowing attackers to perform a man-in-the-middle attack via a crafted GET request. | |||||
| CVE-2023-50936 | 1 Ibm | 1 Powersc | 2024-02-02 | N/A | 8.8 HIGH |
| IBM PowerSC 1.3, 2.0, and 2.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 275116. | |||||
| CVE-2019-2386 | 1 Mongodb | 1 Mongodb | 2024-01-23 | 6.0 MEDIUM | 7.1 HIGH |
| After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22. Workaround: After deleting one or more users, restart any nodes which may have had active user authorization sessions. Refrain from creating user accounts with the same name as previously deleted accounts. | |||||
| CVE-2023-49935 | 1 Schedmd | 1 Slurm | 2024-01-03 | N/A | 8.8 HIGH |
| An issue was discovered in SchedMD Slurm 23.02.x and 23.11.x. There is Incorrect Access Control because of a slurmd Message Integrity Bypass. An attacker can reuse root-level authentication tokens during interaction with the slurmd process. This bypasses the RPC message hashes that protect against undesired MUNGE credential reuse. The fixed versions are 23.02.7 and 23.11.1. | |||||
| CVE-2021-3144 | 3 Debian, Fedoraproject, Saltstack | 3 Debian Linux, Fedora, Salt | 2023-12-21 | 7.5 HIGH | 9.1 CRITICAL |
| In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.) | |||||
| CVE-2023-46326 | 1 Zstack | 1 Zstack | 2023-12-06 | N/A | 8.8 HIGH |
| ZStack Cloud version 3.10.38 and before allows unauthenticated API access to the list of active job UUIDs and the session ID for each of these. This leads to privilege escalation. | |||||
| CVE-2023-5865 | 1 Phpmyfaq | 1 Phpmyfaq | 2023-11-09 | N/A | 9.8 CRITICAL |
| Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2. | |||||
| CVE-2023-39695 | 1 Elenos | 2 Etg150, Etg150 Firmware | 2023-11-09 | N/A | 5.3 MEDIUM |
| Insufficient session expiration in Elenos ETG150 FM Transmitter v3.12 allows attackers to arbitrarily change transmitter configuration and data after logging out. | |||||
| CVE-2023-5889 | 1 Pkp | 1 Pkp Web Application Library | 2023-11-09 | N/A | 8.2 HIGH |
| Insufficient Session Expiration in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||||