CWE:
 

Topic
Date
Author
Low
Microsoft Office 365 Enterprise E3 Insufficient Session Expiration
09.07.2017
Micha Borrmann


CVEMAP Search Results

CVE
Details
Description
2020-06-22
Medium
CVE-2020-6644

Vendor: Fortinet
Software: Fortideceptor
 

 
An insufficient session expiration vulnerability in FortiDeceptor 3.0.0 and below allows an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID via other, hypothetical attacks.

 
2020-06-19
Medium
CVE-2017-18905

Vendor: Mattermost
Software: Mattermost s...
 

 
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session invalidation was mishandled.

 
2020-05-11
Low
CVE-2020-1724

Vendor: Redhat
Software: Keycloak
 

 
A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section.

 
2020-05-07
Medium
CVE-2020-12690

Vendor: Openstack
Software: Keystone
 

 
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access.

 
2020-04-28
Medium
CVE-2020-9482

Vendor: Apache
Software: Nifi registry
 

 
If NiFi Registry 0.1.0 to 0.5.0 uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi Registry invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi Registry.

 
Medium
CVE-2016-11058

Vendor: Netgear
Software: Genie
 

 
The NETGEAR genie application before 2.4.34 for Android is affected by mishandling of hard-coded API keys and session IDs.

 
2020-04-22
Medium
CVE-2020-11688

Vendor: Jetbrains
Software: Teamcity
 

 
In JetBrains TeamCity before 2019.2.1, the application state is kept alive after a user ends his session.

 
Medium
CVE-2020-11795

Vendor: Jetbrains
Software: Space
 

 
In JetBrains Space through 2020-04-22, the session timeout period was configured improperly.

 
Medium
CVE-2020-8867

Vendor: Opcfoundation
Software: Unified arch...
 

 
This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of OPC Foundation UA .NET Standard 1.04.358.30. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of sessions. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to create a denial-of-service condition against the application. Was ZDI-CAN-10295.

 
2020-03-24
Medium
CVE-2020-4253

Vendor: IBM
Software: Content navi...
 

 
IBM Content Navigator 3.0CD does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 175559.

 

 


Copyright 2020, cxsecurity.com

 

Back to Top