Home
Bugtraq
Full List
Only Bugs
Only Tricks
Only Exploits
Only Dorks
Only CVE
Only CWE
Fake Notes
Ranking
CVEMAP
Full List
Show Vendors
Show Products
CWE Dictionary
Check CVE Id
Check CWE Id
Search
Bugtraq
CVEMAP
By author
CVE Id
CWE Id
By vendors
By products
RSS
Bugtraq
CVEMAP
CVE Products
Bugs
Exploits
Dorks
More
cIFrex
Facebook
Twitter
Donate
About
Submit
CWE
:
Topic
Date
Author
Low
Microsoft Office 365 Enterprise E3 Insufficient Session Expiration
09.07.2017
Micha Borrmann
CVEMAP Search Results
CVE
Details
Description
2019-11-19
Medium
CVE-2019-12421
Vendor:
Apache
Software:
NIFI
When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi.
2019-11-14
Medium
CVE-2019-11168
Updating...
Insufficient session validation in Intel(R) Baseboard Management Controller firmware may allow an unauthenticated user to potentially enable information disclosure and/or denial of service via network access.
2019-10-09
Medium
CVE-2019-17375
Vendor:
Cpanel
Software:
Cpanel
cPanel before 82.0.15 allows API token credentials to persist after an account has been renamed or terminated (SEC-517).
2019-09-22
Medium
CVE-2018-21018
Vendor:
Joinmastodon
Software:
Mastodon
Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.
2019-09-18
Medium
CVE-2019-5531
Vendor:
Vmware
Software:
Vcenter server
VMware vSphere ESXi (6.7 prior to ESXi670-201810101-SG, 6.5 prior to ESXi650-201811102-SG, and 6.0 prior to ESXi600-201807103-SG) and VMware vCenter Server (6.7 prior to 6.7 U1b, 6.5 prior to 6.5 U2b, and 6.0 prior to 6.0 U3j) contain an information disclosure vulnerability in clients arising from insufficient session expiration. An attacker with physical access or an ability to mimic a websocket connection to a user?s browser may be able to obtain control of a VM Console after the user has logged out or their session has timed out.
2019-09-17
Low
CVE-2019-14826
Vendor:
Freeipa
Software:
Freeipa
A flaw was found in FreeIPA versions 4.5.0 and later. Session cookies were retained in the cache after logout. An attacker could abuse this flaw if they obtain previously valid session cookies and can use this to gain access to the session.
2019-09-08
Low
CVE-2019-16133
Vendor:
Weaver
Software:
Eteams oa
An issue was discovered in eteams OA v4.0.34. Because the session is not strictly checked, the account names and passwords of all employees in the company can be obtained by an ordinary account. Specifically, the attacker sends a jsessionid value for URIs under app/profile/summary/.
2019-08-21
Medium
CVE-2019-5638
Vendor:
Rapid7
Software:
Nexpose
Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user account's current session is still valid after the password change, potentially allowing the attacker who originally compromised the credential to remain logged in and able to cause further damage.
2019-07-01
Low
CVE-2019-7280
Vendor:
Primasystems
Software:
Flexair
Prima Systems FlexAir, Versions 2.3.38 and prior. The session-ID is of an insufficient length and can be exploited by brute force, which may allow a remote attacker to obtain a valid session and bypass authentication.
2019-06-06
Medium
CVE-2019-7215
Updating...
Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. It instead tries to overwrite the cookie in the browser, but it remains valid on the server side. This means the cookie can be reused to maintain access to the account, even if the account credentials and permissions are changed.
Copyright
2019
, cxsecurity.com
Back to Top
