Total
348 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-41672 | 1 Apache | 1 Airflow | 2024-08-03 | 8.1 High |
| In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API. | ||||
| CVE-2022-41542 | 1 Devhubapp | 1 Devhub | 2024-08-03 | 5.4 Medium |
| devhub 0.102.0 was discovered to contain a broken session control. | ||||
| CVE-2022-40230 | 1 Ibm | 1 Mq Appliance | 2024-08-03 | 6.5 Medium |
| "IBM MQ Appliance 9.2 CD, 9.2 LTS, 9.3 CD, and LTS 9.3 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235532." | ||||
| CVE-2022-40228 | 1 Ibm | 1 Datapower Gateway | 2024-08-03 | 3.7 Low |
| IBM DataPower Gateway 10.0.3.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.9, 2018.4.1.0 through 2018.4.1.22, and 10.5.0.0 through 10.5.0.2 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235527. | ||||
| CVE-2022-39234 | 1 Glpi-project | 1 Glpi | 2024-08-03 | 4.7 Medium |
| GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Deleted/deactivated user could continue to use their account as long as its cookie is valid. This issue has been patched, please upgrade to version 10.0.4. There are currently no known workarounds. | ||||
| CVE-2022-38707 | 1 Ibm | 1 Cognos Command Center | 2024-08-03 | 4 Medium |
| IBM Cognos Command Center 10.2.4.1 could allow a local attacker to obtain sensitive information due to insufficient session expiration. IBM X-Force ID: 234179. | ||||
| CVE-2022-37186 | 1 Lemonldap-ng | 1 Lemonldap\ | 2024-08-03 | 5.9 Medium |
| In LemonLDAP::NG before 2.0.15. some sessions are not deleted when they are supposed to be deleted according to the timeoutActivity setting. This can occur when there are at least two servers, and a session is manually removed before the time at which it would have been removed automatically. | ||||
| CVE-2022-36179 | 1 Fusiondirectory | 1 Fusiondirectory | 2024-08-03 | 9.8 Critical |
| Fusiondirectory 1.3 suffers from Improper Session Handling. | ||||
| CVE-2022-34624 | 1 Mealie | 1 Mealie | 2024-08-03 | 5.9 Medium |
| Mealie1.0.0beta3 does not terminate download tokens after a user logs out, allowing attackers to perform a man-in-the-middle attack via a crafted GET request. | ||||
| CVE-2022-34392 | 1 Dell | 1 Supportassist For Home Pcs | 2024-08-03 | 5.5 Medium |
| SupportAssist for Home PCs (versions 3.11.4 and prior) contain an insufficient session expiration Vulnerability. An authenticated non-admin user can be able to obtain the refresh token and that leads to reuse the access token and fetch sensitive information. | ||||
| CVE-2022-33137 | 1 Siemens | 12 Simatic Mv540 H, Simatic Mv540 H Firmware, Simatic Mv540 S and 9 more | 2024-08-03 | 8.0 High |
| A vulnerability has been identified in SIMATIC MV540 H (All versions < V3.3), SIMATIC MV540 S (All versions < V3.3), SIMATIC MV550 H (All versions < V3.3), SIMATIC MV550 S (All versions < V3.3), SIMATIC MV560 U (All versions < V3.3), SIMATIC MV560 X (All versions < V3.3). The web session management of affected devices does not invalidate session ids in certain logout scenarios. This could allow an authenticated remote attacker to hijack other users' sessions. | ||||
| CVE-2022-32759 | 1 Ibm | 4 Security Directory Integrator, Security Directory Server, Security Verify Access and 1 more | 2024-08-03 | 5.3 Medium |
| IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 uses insufficient session expiration which could allow an unauthorized user to obtain sensitive information. IBM X-Force ID: 228565. | ||||
| CVE-2022-31677 | 1 Vmware | 1 Pinniped | 2024-08-03 | 5.4 Medium |
| An Insufficient Session Expiration issue was discovered in the Pinniped Supervisor (before v0.19.0). A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially use their access token to continue their session beyond what proper use of their refresh token might allow. | ||||
| CVE-2022-31145 | 1 Flyte | 1 Flyteadmin | 2024-08-03 | 6.5 Medium |
| FlyteAdmin is the control plane for Flyte responsible for managing entities and administering workflow executions. In versions 1.1.30 and prior, authenticated users using an external identity provider can continue to use Access Tokens and ID Tokens even after they expire. Users who use FlyteAdmin as the OAuth2 Authorization Server are unaffected by this issue. A patch is available on the `master` branch of the repository. As a workaround, rotating signing keys immediately will invalidate all open sessions and force all users to attempt to obtain new tokens. Those who use this workaround should continue to rotate keys until FlyteAdmin has been upgraded and hide FlyteAdmin deployment ingress URL from the internet. | ||||
| CVE-2022-31050 | 1 Typo3 | 1 Typo3 | 2024-08-03 | 6 Medium |
| TYPO3 is an open source web content management system. Prior to versions 9.5.34 ELTS, 10.4.29, and 11.5.11, Admin Tool sessions initiated via the TYPO3 backend user interface had not been revoked even if the corresponding user account was degraded to lower permissions or disabled completely. This way, sessions in the admin tool theoretically could have been prolonged without any limit. TYPO3 versions 9.5.34 ELTS, 10.4.29, and 11.5.11 contain a fix for the problem. | ||||
| CVE-2022-25590 | 1 Surveyking | 1 Surveyking | 2024-08-03 | 6.5 Medium |
| SurveyKing v0.2.0 was discovered to retain users' session cookies after logout, allowing attackers to login to the system and access data using the browser cache when the user exits the application. | ||||
| CVE-2022-24895 | 1 Sensiolabs | 1 Symfony | 2024-08-03 | 6.3 Medium |
| Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. This issue has been fixed in the 4.4 branch. | ||||
| CVE-2022-24743 | 1 Sylius | 1 Sylius | 2024-08-03 | 7.1 High |
| Sylius is an open source eCommerce platform. Prior to versions 1.10.11 and 1.11.2, the reset password token was not set to null after the password was changed. The same token could be used several times, which could result in leak of the existing token and unauthorized password change. The issue is fixed in versions 1.10.11 and 1.11.2. As a workaround, overwrite the `Sylius\Bundle\ApiBundle\CommandHandler\ResetPasswordHandler` class with code provided by the maintainers and register it in a container. More information about this workaround is available in the GitHub Security Advisory. | ||||
| CVE-2022-24744 | 1 Shopware | 1 Shopware | 2024-08-03 | 2.6 Low |
| Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions user sessions are not logged out if the password is reset via password recovery. This issue has been resolved in version 6.4.8.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. | ||||
| CVE-2022-24732 | 1 Maddy Project | 1 Maddy | 2024-08-03 | 6.3 Medium |
| Maddy Mail Server is an open source SMTP compatible email server. Versions of maddy prior to 0.5.4 do not implement password expiry or account expiry checking when authenticating using PAM. Users are advised to upgrade. Users unable to upgrade should manually remove expired accounts via existing filtering mechanisms. | ||||