Total
331 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-4190 | 1 Admidio | 1 Admidio | 2023-08-09 | N/A | 6.5 MEDIUM |
| Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.2.11. | |||||
| CVE-2023-4126 | 1 Answer | 1 Answer | 2023-08-08 | N/A | 8.8 HIGH |
| Insufficient Session Expiration in GitHub repository answerdev/answer prior to v1.1.0. | |||||
| CVE-2021-29846 | 1 Ibm | 1 Security Guardium Insights | 2023-08-08 | 4.0 MEDIUM | 2.7 LOW |
| IBM Security Guardium Insights 3.0 could allow an authenticated user to obtain sensitive information due to insufficient session expiration. IBM X-Force ID: 205256. | |||||
| CVE-2023-37919 | 1 Cal | 1 Cal.com | 2023-08-04 | N/A | 5.4 MEDIUM |
| Cal.com is open-source scheduling software. A vulnerability allows active sessions associated with an account to remain active even after enabling 2FA. When activating 2FA on a Cal.com account that is logged in on two or more devices, the account stays logged in on the other device(s) stays logged in without having to verify the account owner's identity. As of time of publication, no known patches or workarounds exist. | |||||
| CVE-2023-4005 | 1 Fossbilling | 1 Fossbilling | 2023-08-03 | N/A | 9.8 CRITICAL |
| Insufficient Session Expiration in GitHub repository fossbilling/fossbilling prior to 0.5.5. | |||||
| CVE-2023-38489 | 1 Getkirby | 1 Kirby | 2023-08-03 | N/A | 7.3 HIGH |
| Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). It can only be abused if a Kirby user is logged in on a device or browser that is shared with potentially untrusted users or if an attacker already maliciously used a previous password to log in to a Kirby site as the affected user. Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization. In the variation described in this advisory, it allows attackers to stay logged in to a Kirby site on another device even if the logged in user has since changed their password. Kirby did not invalidate user sessions that were created with a password that was since changed by the user or by a site admin. If a user changed their password to lock out an attacker who was already in possession of the previous password or of a login session on another device or browser, the attacker would not be reliably prevented from accessing the Kirby site as the affected user. The problem has been patched in Kirby 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6. In all of the mentioned releases, the maintainers have updated the authentication implementation to keep track of the hashed password in each active session. If the password changed since the login, the session is invalidated. To enforce this fix even if the vulnerability was previously abused, all users are logged out from the Kirby site after updating to one of the patched releases. | |||||
| CVE-2023-35857 | 1 Siren | 1 Investigate | 2023-06-27 | N/A | 9.8 CRITICAL |
| In Siren Investigate before 13.2.2, session keys remain active even after logging out. | |||||
| CVE-2023-2788 | 1 Mattermost | 1 Mattermost | 2023-06-26 | N/A | 6.5 MEDIUM |
| Mattermost fails to check if an admin user account active after an oauth2 flow is started, allowing an attacker with admin privileges to retain persistent access to Mattermost by obtaining an oauth2 access token while the attacker's account is deactivated. | |||||
| CVE-2023-0041 | 2 Ibm, Linux | 2 Security Guardium, Linux Kernel | 2023-06-09 | N/A | 8.8 HIGH |
| IBM Security Guardium 11.5 could allow a user to take over another user's session due to insufficient session expiration. IBM X-Force ID: 243657. | |||||
| CVE-2023-32318 | 1 Nextcloud | 1 Nextcloud Server | 2023-06-02 | N/A | 6.7 MEDIUM |
| Nextcloud server provides a home for data. A regression in the session handling between Nextcloud Server and the Nextcloud Text app prevented a correct destruction of the session on logout if cookies were not cleared manually. After successfully authenticating with any other account the previous session would be continued and the attacker would be authenticated as the previously logged in user. It is recommended that the Nextcloud Server is upgraded to 25.0.6 or 26.0.1. | |||||
| CVE-2023-31139 | 1 Dhis2 | 1 Dhis 2 | 2023-05-16 | N/A | 7.5 HIGH |
| DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.37 branch and prior to versions 2.37.9.1, 2.38.3.1, and 2.39.1.2, Personal Access Tokens (PATs) generate unrestricted session cookies. This may lead to a bypass of other access restrictions (for example, based on allowed IP addresses or HTTP methods). DHIS2 implementers should upgrade to a supported version of DHIS2: 2.37.9.1, 2.38.3.1, or 2.39.1.2. Implementers can work around this issue by adding extra access control validations on a reverse proxy. | |||||
| CVE-2023-31140 | 1 Openproject | 1 Openproject | 2023-05-15 | N/A | 6.5 MEDIUM |
| OpenProject is open source project management software. Starting with version 7.4.0 and prior to version 12.5.4, when a user registers and confirms their first two-factor authentication (2FA) device for an account, existing logged in sessions for that user account are not terminated. Likewise, if an administrators creates a mobile phone 2FA device on behalf of a user, their existing sessions are not terminated. The issue has been resolved in OpenProject version 12.5.4 by actively terminating sessions of user accounts having registered and confirmed a 2FA device. As a workaround, users who register the first 2FA device on their account can manually log out to terminate all other active sessions. This is the default behavior of OpenProject but might be disabled through a configuration option. Double check that this option is not overridden if one plans to employ the workaround. | |||||
| CVE-2022-38707 | 1 Ibm | 1 Cognos Command Center | 2023-05-11 | N/A | 5.5 MEDIUM |
| IBM Cognos Command Center 10.2.4.1 could allow a local attacker to obtain sensitive information due to insufficient session expiration. IBM X-Force ID: 234179. | |||||
| CVE-2023-28003 | 1 Schneider-electric | 1 Ecostruxure Power Monitoring Expert | 2023-05-01 | N/A | 8.8 HIGH |
| A CWE-613: Insufficient Session Expiration vulnerability exists that could allow an attacker to maintain unauthorized access over a hijacked session in PME after the legitimate user has signed out of their account. | |||||
| CVE-2023-1788 | 1 Firefly-iii | 1 Firefly Iii | 2023-04-12 | N/A | 9.8 CRITICAL |
| Insufficient Session Expiration in GitHub repository firefly-iii/firefly-iii prior to 6. | |||||
| CVE-2023-1543 | 1 Answer | 1 Answer | 2023-03-23 | N/A | 8.8 HIGH |
| Insufficient Session Expiration in GitHub repository answerdev/answer prior to 1.0.6. | |||||
| CVE-2023-27891 | 1 Rami | 1 Pretix | 2023-03-14 | N/A | 7.5 HIGH |
| rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. The fixed versions are 4.15.1, 4.16.1, and 4.17.1. | |||||
| CVE-2023-25562 | 1 Datahub Project | 1 Datahub | 2023-02-21 | N/A | 9.8 CRITICAL |
| DataHub is an open-source metadata platform. In versions of DataHub prior to 0.8.45 Session cookies are only cleared on new sign-in events and not on logout events. Any authentication checks using the `AuthUtils.hasValidSessionCookie()` method could be bypassed by using a cookie from a logged out session, as a result any logged out session cookie may be accepted as valid and therefore lead to an authentication bypass to the system. Users are advised to upgrade. There are no known workarounds for this issue. This vulnerability was discovered and reported by the GitHub Security lab and is tracked as GHSL-2022-083. | |||||
| CVE-2022-41672 | 1 Apache | 1 Airflow | 2023-02-11 | N/A | 8.1 HIGH |
| In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API. | |||||
| CVE-2023-23614 | 1 Pi-hole | 1 Web Interface | 2023-02-06 | N/A | 8.8 HIGH |
| Pi-holeĀ®'s Web interface (based off of AdminLTE) provides a central location to manage your Pi-hole. Versions 4.0 and above, prior to 5.18.3 are vulnerable to Insufficient Session Expiration. Improper use of admin WEBPASSWORD hash as "Remember me for 7 days" cookie value makes it possible for an attacker to "pass the hash" to login or reuse a theoretically expired "remember me" cookie. It also exposes the hash over the network and stores it unnecessarily in the browser. The cookie itself is set to expire after 7 days but its value will remain valid as long as the admin password doesn't change. If a cookie is leaked or compromised it could be used forever as long as the admin password is not changed. An attacker that obtained the password hash via an other attack vector (for example a path traversal vulnerability) could use it to login as the admin by setting the hash as the cookie value without the need to crack it to obtain the admin password (pass the hash). The hash is exposed over the network and in the browser where the cookie is transmitted and stored. This issue is patched in version 5.18.3. | |||||