Total
354 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-35220 | 2024-11-21 | N/A | 7.4 HIGH | ||
| @fastify/session is a session plugin for fastify. Requires the @fastify/cookie plugin. When restoring the cookie from the session store, the `expires` field is overriden if the `maxAge` field was set. This means a cookie is never correctly detected as expired and thus expired sessions are not destroyed. This vulnerability has been patched 10.8.0. | |||||
| CVE-2024-35048 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
| An issue in SurveyKing v1.3.1 allows attackers to execute a session replay attack after a user changes their password. | |||||
| CVE-2024-29402 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
| cskefu v7 suffers from Insufficient Session Expiration, which allows attackers to exploit the old session for malicious activity. | |||||
| CVE-2024-29401 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| xzs-mysql 3.8 is vulnerable to Insufficient Session Expiration, which allows attackers to use the session of a deleted admin to do anything. | |||||
| CVE-2024-29070 | 2024-11-21 | N/A | 9.1 CRITICAL | ||
| On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns "Authorization" as the front-end authentication credential. "Authorization" can still initiate requests and access data even after logout. Mitigation: all users should upgrade to 2.1.4 | |||||
| CVE-2024-27782 | 1 Fortinet | 1 Fortiaiops | 2024-11-21 | N/A | 8.1 HIGH |
| Multiple insufficient session expiration vulnerabilities [CWE-613] in FortiAIOps version 2.0.0 may allow an attacker to re-use stolen old session tokens to perform unauthorized operations via crafted requests. | |||||
| CVE-2024-27455 | 2024-11-21 | N/A | 9.1 CRITICAL | ||
| In the Bentley ALIM Web application, certain configuration settings can cause exposure of a user's ALIM session token when the user attempts to download files. This is fixed in Assetwise ALIM Web 23.00.04.04 and Assetwise Information Integrity Server 23.00.02.03. | |||||
| CVE-2024-25718 | 1 Dropbox | 1 Samly | 2024-11-21 | N/A | 9.8 CRITICAL |
| In the Samly package before 1.4.0 for Elixir, Samly.State.Store.get_assertion/3 can return an expired session, which interferes with access control because Samly.AuthHandler uses a cached session and does not replace it, even after expiry. | |||||
| CVE-2024-22403 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | N/A | 3.0 LOW |
| Nextcloud server is a self hosted personal cloud system. In affected versions OAuth codes did not expire. When an attacker would get access to an authorization code they could authenticate at any time using the code. As of version 28.0.0 OAuth codes are invalidated after 10 minutes and will no longer be authenticated. To exploit this vulnerability an attacker would need to intercept an OAuth code from a user session. It is recommended that the Nextcloud Server is upgraded to 28.0.0. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-0944 | 1 Totolink | 2 T8, T8 Firmware | 2024-11-21 | 2.6 LOW | 3.7 LOW |
| A vulnerability was found in Totolink T8 4.1.5cu.833_20220905. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /cgi-bin/cstecgi.cgi. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252188. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-0943 | 1 Totolink | 2 N350rt, N350rt Firmware | 2024-11-21 | 2.6 LOW | 3.7 LOW |
| A vulnerability was found in Totolink N350RT 9.3.5u.6255. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /cgi-bin/cstecgi.cgi. The manipulation leads to session expiration. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252187. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-0942 | 1 Totolink | 2 N200re-v5, N200re-v5 Firmware | 2024-11-21 | 2.6 LOW | 3.7 LOW |
| A vulnerability was found in Totolink N200RE V5 9.3.5u.6255_B20211224. It has been classified as problematic. Affected is an unknown function of the file /cgi-bin/cstecgi.cgi. The manipulation leads to session expiration. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. VDB-252186 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-0350 | 1 Engineers Online Portal Project | 1 Engineers Online Portal | 2024-11-21 | 2.1 LOW | 3.1 LOW |
| A vulnerability was found in SourceCodester Engineers Online Portal 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. VDB-250118 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-0260 | 1 Engineers Online Portal Project | 1 Engineers Online Portal | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability, which was classified as problematic, was found in SourceCodester Engineers Online Portal 1.0. Affected is an unknown function of the file change_password_teacher.php of the component Password Change. The manipulation leads to session expiration. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249816. | |||||
| CVE-2023-5889 | 1 Pkp | 1 Pkp Web Application Library | 2024-11-21 | N/A | 8.2 HIGH |
| Insufficient Session Expiration in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||||
| CVE-2023-5865 | 1 Phpmyfaq | 1 Phpmyfaq | 2024-11-21 | N/A | 9.8 CRITICAL |
| Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2. | |||||
| CVE-2023-5838 | 1 Linkstack | 1 Linkstack | 2024-11-21 | N/A | 9.8 CRITICAL |
| Insufficient Session Expiration in GitHub repository linkstackorg/linkstack prior to v4.2.9. | |||||
| CVE-2023-51772 | 1 Oneidentity | 1 Password Manager | 2024-11-21 | N/A | 8.8 HIGH |
| One Identity Password Manager before 5.13.1 allows Kiosk Escape. This product enables users to reset their Active Directory passwords on the login screen of a Windows client. It launches a Chromium based browser in Kiosk mode to provide the reset functionality. The escape sequence is: wait for a session timeout, click on the Help icon, observe that there is a browser window for the One Identity website, navigate to any website that offers file upload, navigate to cmd.exe from the file explorer window, and launch cmd.exe as NT AUTHORITY\SYSTEM. | |||||
| CVE-2023-50936 | 1 Ibm | 1 Powersc | 2024-11-21 | N/A | 6.3 MEDIUM |
| IBM PowerSC 1.3, 2.0, and 2.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 275116. | |||||
| CVE-2023-4320 | 1 Redhat | 1 Satellite | 2024-11-21 | N/A | 7.6 HIGH |
| An arithmetic overflow flaw was found in Satellite when creating a new personal access token. This flaw allows an attacker who uses this arithmetic overflow to create personal access tokens that are valid indefinitely, resulting in damage to the system's integrity. | |||||