Total
348 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-3867 | 1 Redhat | 1 Quay | 2024-08-04 | 4.1 Medium |
| A vulnerability was found in the Quay web application. Sessions in the Quay web application never expire. An attacker, able to gain access to a session, could use it to control or delete a user's container repository. Red Hat Quay 2 and 3 are vulnerable to this issue. | ||||
| CVE-2019-2386 | 1 Mongodb | 1 Mongodb | 2024-08-04 | 7.1 High |
| After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22. Workaround: After deleting one or more users, restart any nodes which may have had active user authorization sessions. Refrain from creating user accounts with the same name as previously deleted accounts. | ||||
| CVE-2020-35358 | 1 Domainmod | 1 Domainmod | 2024-08-04 | 9.8 Critical |
| DomainMOD domainmod-v4.15.0 is affected by an insufficient session expiration vulnerability. On changing a password, both sessions using the changed password and old sessions in any other browser or device do not expire and remain active. Such flaws frequently give attackers unauthorized access to some system data or functionality. | ||||
| CVE-2020-29667 | 1 Lanatmservice | 1 M3 Atm Monitoring System | 2024-08-04 | 9.8 Critical |
| In Lan ATMService M3 ATM Monitoring System 6.1.0, a remote attacker able to use a default cookie value, such as PHPSESSID=LANIT-IMANAGER, can achieve control over the system because of Insufficient Session Expiration. | ||||
| CVE-2020-27739 | 1 Citadel | 1 Webcit | 2024-08-04 | 9.8 Critical |
| A Weak Session Management vulnerability in Citadel WebCit through 926 allows unauthenticated remote attackers to hijack recently logged-in users' sessions. NOTE: this was reported to the vendor in a publicly archived "Multiple Security Vulnerabilities in WebCit 926" thread. | ||||
| CVE-2020-27422 | 1 Anuko | 1 Time Tracker | 2024-08-04 | 9.8 Critical |
| In Anuko Time Tracker v1.19.23.5311, the password reset link emailed to the user doesn't expire once used, allowing an attacker to use the same link to takeover the account. | ||||
| CVE-2020-27416 | 1 Mahadiscom | 1 Mahavitaran | 2024-08-04 | 9.8 Critical |
| Mahavitaran android application 7.50 and prior are affected by account takeover due to improper OTP validation, allows remote attackers to control a users account. | ||||
| CVE-2020-25374 | 1 Cyberark | 1 Privileged Session Manager | 2024-08-04 | 2.6 Low |
| CyberArk Privileged Session Manager (PSM) 10.9.0.15 allows attackers to discover internal pathnames by reading an error popup message after two hours of idle time. | ||||
| CVE-2020-24713 | 1 Getgophish | 1 Gophish | 2024-08-04 | 7.5 High |
| Gophish through 0.10.1 does not invalidate the gophish cookie upon logout. | ||||
| CVE-2020-23136 | 1 Microweber | 1 Microweber | 2024-08-04 | 5.5 Medium |
| Microweber v1.1.18 is affected by no session expiry after log-out. | ||||
| CVE-2020-23140 | 1 Microweber | 1 Microweber | 2024-08-04 | 8.1 High |
| Microweber 1.1.18 is affected by insufficient session expiration. When changing passwords, both sessions for when a user changes email and old sessions in any other browser or device, the session does not expire and remains active. | ||||
| CVE-2020-17474 | 1 Zkteco | 3 Facedepot 7b, Facedepot 7b Firmware, Zkbiosecurity Server | 2024-08-04 | 9.8 Critical |
| A token-reuse vulnerability in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to create arbitrary new users, elevate users to administrators, delete users, and download user faces from the database. | ||||
| CVE-2020-17473 | 1 Zkteco | 3 Facedepot 7b, Facedepot 7b Firmware, Zkbiosecurity Server | 2024-08-04 | 5.9 Medium |
| Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server. | ||||
| CVE-2020-15950 | 1 Immuta | 1 Immuta | 2024-08-04 | 8.8 High |
| Immuta v2.8.2 is affected by improper session management: user sessions are not revoked upon logout. | ||||
| CVE-2020-15774 | 1 Gradle | 1 Enterprise | 2024-08-04 | 6.8 Medium |
| An issue was discovered in Gradle Enterprise 2018.5 - 2020.2.4. An attacker with physical access to the browser of a user who has recently logged in to Gradle Enterprise and since closed their browser could reopen their browser to access Gradle Enterprise as that user. | ||||
| CVE-2020-15269 | 1 Sparksolutions | 1 Spree | 2024-08-04 | 7.4 High |
| In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround without upgrading is described in the linked advisory. | ||||
| CVE-2020-15218 | 1 Combodo | 1 Itop | 2024-08-04 | 6.8 Medium |
| Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, admin pages are cached, so that their content is visible after deconnection by using the browser back button. This is fixed in versions 2.7.2 and 3.0.0. | ||||
| CVE-2020-15220 | 1 Combodo | 1 Itop | 2024-08-04 | 6.1 Medium |
| Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, two cookies are created for the same session, which leads to a possibility to steal user session. This is fixed in versions 2.7.2 and 3.0.0. | ||||
| CVE-2020-15074 | 1 Openvpn | 1 Openvpn Access Server | 2024-08-04 | 7.5 High |
| OpenVPN Access Server older than version 2.8.4 and version 2.9.5 generates new user authentication tokens instead of reusing exiting tokens on reconnect making it possible to circumvent the initial token expiry timestamp. | ||||
| CVE-2020-14247 | 1 Hcltechsw | 1 Onetest Performance | 2024-08-04 | 6.5 Medium |
| HCL OneTest Performance V9.5, V10.0, V10.1 contains an inadequate session timeout, which could allow an attacker time to guess and use a valid session ID. | ||||