Show CWE-613: Insufficient Session Expiration - CXSecurity.com

	Topic	Date	Author
Low	Microsoft Office 365 Enterprise E3 Insufficient Session Expiration	09.07.2017	Micha Borrmann

CVEMAP Search Results

CVE

Details

Description

2019-10-09

Medium

CVE-2019-17375

Vendor: Cpanel
Software: Cpanel

cPanel before 82.0.15 allows API token credentials to persist after an account has been renamed or terminated (SEC-517).

2019-09-22

Medium

CVE-2018-21018

Vendor: Joinmastodon
Software: Mastodon

Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.

2019-09-18

Medium

CVE-2019-5531

Vendor: Vmware
Software: Vcenter server

VMware vSphere ESXi (6.7 prior to ESXi670-201810101-SG, 6.5 prior to ESXi650-201811102-SG, and 6.0 prior to ESXi600-201807103-SG) and VMware vCenter Server (6.7 prior to 6.7 U1b, 6.5 prior to 6.5 U2b, and 6.0 prior to 6.0 U3j) contain an information disclosure vulnerability in clients arising from insufficient session expiration. An attacker with physical access or an ability to mimic a websocket connection to a user?s browser may be able to obtain control of a VM Console after the user has logged out or their session has timed out.

2019-09-17

Low

CVE-2019-14826

Vendor: Freeipa
Software: Freeipa

A flaw was found in FreeIPA versions 4.5.0 and later. Session cookies were retained in the cache after logout. An attacker could abuse this flaw if they obtain previously valid session cookies and can use this to gain access to the session.

2019-09-08

Low

CVE-2019-16133

Vendor: Weaver
Software: Eteams oa

An issue was discovered in eteams OA v4.0.34. Because the session is not strictly checked, the account names and passwords of all employees in the company can be obtained by an ordinary account. Specifically, the attacker sends a jsessionid value for URIs under app/profile/summary/.

2019-08-21

Medium

CVE-2019-5638

Vendor: Rapid7
Software: Nexpose

Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user account's current session is still valid after the password change, potentially allowing the attacker who originally compromised the credential to remain logged in and able to cause further damage.

2019-07-01

Low

CVE-2019-7280

Vendor: Primasystems
Software: Flexair

Prima Systems FlexAir, Versions 2.3.38 and prior. The session-ID is of an insufficient length and can be exploited by brute force, which may allow a remote attacker to obtain a valid session and bypass authentication.

2019-06-06

Medium	CVE-2019-3790	Vendor: Pivotal software Software: Operations m...	The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources.
Medium	CVE-2019-7215	Updating...	Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. It instead tries to overwrite the cookie in the browser, but it remains valid on the server side. This means the cookie can be reused to maintain access to the account, even if the account credentials and permissions are changed.

2019-05-09

Medium

CVE-2019-4072

Vendor: IBM
Software: Spectrum control

IBM Tivoli Storage Productivity Center (IBM Spectrum Control Standard Edition 5.2.1 through 5.2.17) allows users to remain idle within the application even when a user has logged out. Utilizing the application back button users can remain logged in as the current user for a short period of time, therefore users are presented with information for Spectrum Control Application. IBM X-Force ID: 157064.

Copyright 2019, cxsecurity.com