Total
348 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-49091 | 1 Cosmos-cloud | 1 Cosmos Server | 2024-08-02 | 8.8 High |
| Cosmos provides users the ability self-host a home server by acting as a secure gateway to your application, as well as a server manager. Cosmos-server is vulnerable due to to the authorization header used for user login remaining valid and not expiring after log out. This vulnerability allows an attacker to use the token to gain unauthorized access to the application/system even after the user has logged out. This issue has been patched in version 0.13.0. | ||||
| CVE-2023-46326 | 1 Zstack | 1 Zstack | 2024-08-02 | 8.8 High |
| ZStack Cloud version 3.10.38 and before allows unauthenticated API access to the list of active job UUIDs and the session ID for each of these. This leads to privilege escalation. | ||||
| CVE-2023-45187 | 1 Ibm | 1 Engineering Lifecycle Optimization | 2024-08-02 | 6.3 Medium |
| IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 268749. | ||||
| CVE-2023-40732 | 1 Siemens | 1 Qms Automotive | 2024-08-02 | 3.9 Low |
| A vulnerability has been identified in QMS Automotive (All versions < V12.39). The QMS.Mobile module of the affected application does not invalidate the session token on logout. This could allow an attacker to perform session hijacking attacks. | ||||
| CVE-2023-40695 | 2024-08-02 | 6.3 Medium | ||
| IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 264938. | ||||
| CVE-2023-35857 | 1 Siren | 1 Investigate | 2024-08-02 | 9.8 Critical |
| In Siren Investigate before 13.2.2, session keys remain active even after logging out. | ||||
| CVE-2023-33005 | 1 Jenkins | 1 Wso2 Oauth | 2024-08-02 | 5.4 Medium |
| Jenkins WSO2 Oauth Plugin 1.0 and earlier does not invalidate the previous session on login. | ||||
| CVE-2023-32318 | 1 Nextcloud | 1 Nextcloud Server | 2024-08-02 | 7.2 High |
| Nextcloud server provides a home for data. A regression in the session handling between Nextcloud Server and the Nextcloud Text app prevented a correct destruction of the session on logout if cookies were not cleared manually. After successfully authenticating with any other account the previous session would be continued and the attacker would be authenticated as the previously logged in user. It is recommended that the Nextcloud Server is upgraded to 25.0.6 or 26.0.1. | ||||
| CVE-2023-31140 | 1 Openproject | 1 Openproject | 2024-08-02 | 4.8 Medium |
| OpenProject is open source project management software. Starting with version 7.4.0 and prior to version 12.5.4, when a user registers and confirms their first two-factor authentication (2FA) device for an account, existing logged in sessions for that user account are not terminated. Likewise, if an administrators creates a mobile phone 2FA device on behalf of a user, their existing sessions are not terminated. The issue has been resolved in OpenProject version 12.5.4 by actively terminating sessions of user accounts having registered and confirmed a 2FA device. As a workaround, users who register the first 2FA device on their account can manually log out to terminate all other active sessions. This is the default behavior of OpenProject but might be disabled through a configuration option. Double check that this option is not overridden if one plans to employ the workaround. | ||||
| CVE-2023-31139 | 1 Dhis2 | 1 Dhis 2 | 2024-08-02 | 4.3 Medium |
| DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.37 branch and prior to versions 2.37.9.1, 2.38.3.1, and 2.39.1.2, Personal Access Tokens (PATs) generate unrestricted session cookies. This may lead to a bypass of other access restrictions (for example, based on allowed IP addresses or HTTP methods). DHIS2 implementers should upgrade to a supported version of DHIS2: 2.37.9.1, 2.38.3.1, or 2.39.1.2. Implementers can work around this issue by adding extra access control validations on a reverse proxy. | ||||
| CVE-2023-30403 | 1 Aigital | 2 Wireless-n Repeater Mini Router, Wireless-n Repeater Mini Router Firmware | 2024-08-02 | 7.5 High |
| An issue in the time-based authentication mechanism of Aigital Aigital Wireless-N Repeater Mini_Router v0.131229 allows attackers to bypass login by connecting to the web app after a successful attempt by a legitimate user. | ||||
| CVE-2023-28003 | 1 Schneider-electric | 1 Ecostruxure Power Monitoring Expert | 2024-08-02 | 6.7 Medium |
| A CWE-613: Insufficient Session Expiration vulnerability exists that could allow an attacker to maintain unauthorized access over a hijacked session in PME after the legitimate user has signed out of their account. | ||||
| CVE-2023-27891 | 1 Rami | 1 Pretix | 2024-08-02 | 7.5 High |
| rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. The fixed versions are 4.15.1, 4.16.1, and 4.17.1. | ||||
| CVE-2023-25562 | 1 Datahub Project | 1 Datahub | 2024-08-02 | 6.9 Medium |
| DataHub is an open-source metadata platform. In versions of DataHub prior to 0.8.45 Session cookies are only cleared on new sign-in events and not on logout events. Any authentication checks using the `AuthUtils.hasValidSessionCookie()` method could be bypassed by using a cookie from a logged out session, as a result any logged out session cookie may be accepted as valid and therefore lead to an authentication bypass to the system. Users are advised to upgrade. There are no known workarounds for this issue. This vulnerability was discovered and reported by the GitHub Security lab and is tracked as GHSL-2022-083. | ||||
| CVE-2023-24426 | 1 Jenkins | 1 Azure Ad | 2024-08-02 | 8.8 High |
| Jenkins Azure AD Plugin 303.va_91ef20ee49f and earlier does not invalidate the previous session on login. | ||||
| CVE-2023-23929 | 1 Vantage6 | 1 Vantage6 | 2024-08-02 | 8.8 High |
| vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Currently, the refresh token is valid indefinitely. The refresh token should get a validity of 24-48 hours. A fix was released in version 3.8.0. | ||||
| CVE-2023-23614 | 1 Pi-hole | 1 Web Interface | 2024-08-02 | 8.8 High |
| Pi-holeĀ®'s Web interface (based off of AdminLTE) provides a central location to manage your Pi-hole. Versions 4.0 and above, prior to 5.18.3 are vulnerable to Insufficient Session Expiration. Improper use of admin WEBPASSWORD hash as "Remember me for 7 days" cookie value makes it possible for an attacker to "pass the hash" to login or reuse a theoretically expired "remember me" cookie. It also exposes the hash over the network and stores it unnecessarily in the browser. The cookie itself is set to expire after 7 days but its value will remain valid as long as the admin password doesn't change. If a cookie is leaked or compromised it could be used forever as long as the admin password is not changed. An attacker that obtained the password hash via an other attack vector (for example a path traversal vulnerability) could use it to login as the admin by setting the hash as the cookie value without the need to crack it to obtain the admin password (pass the hash). The hash is exposed over the network and in the browser where the cookie is transmitted and stored. This issue is patched in version 5.18.3. | ||||
| CVE-2023-22771 | 1 Arubanetworks | 24 7010, 7030, 7205 and 21 more | 2024-08-02 | 6.8 Medium |
| An insufficient session expiration vulnerability exists in the ArubaOS command line interface. Successful exploitation of this vulnerability allows an attacker to keep a session running on an affected device after the removal of the impacted account | ||||
| CVE-2023-22732 | 1 Shopware | 1 Shopware | 2024-08-02 | 3.7 Low |
| Shopware is an open source commerce platform based on Symfony Framework and Vue js. The Administration session expiration was set to one week, when an attacker has stolen the session cookie they could use it for a long period of time. In version 6.4.18.1 an automatic logout into the Administration session has been added. As a result the user will be logged out when they are inactive. Users are advised to upgrade. There are no known workarounds for this issue. | ||||
| CVE-2023-22591 | 1 Ibm | 2 Robotic Process Automation, Robotic Process Automation As A Service | 2024-08-02 | 3.9 Low |
| IBM Robotic Process Automation 21.0.1 through 21.0.7 and 23.0.0 through 23.0.1 could allow a user with physical access to the system due to session tokens for not being invalidated after a password reset. IBM X-Force ID: 243710. | ||||