CWE:
 

Tytuł
Data
Autor
Low
MailDepot 2032 SP2 Session Expiration
30.09.2020
Micha Borrmann
Low
Microsoft Office 365 Enterprise E3 Insufficient Session Expiration
09.07.2017
Micha Borrmann


Common Weakness Enumeration (CWE)

CVE
Szczegóły
Opis
2022-01-18
Medium
CVE-2021-37866

Vendor: Mattermost
Software: Mattermost b...
 

 
Mattermost Boards plugin v0.10.0 and earlier fails to invalidate a session on the server-side when a user logged out of Boards, which allows an attacker to reuse old session token for authorization.

 
2022-01-13
Waiting for details
CVE-2022-22122

Updating...
 

 

 
Medium
CVE-2022-22113

Vendor: Daybydaycrm
Software: Daybyday
 

 
In DayByDay CRM, versions 2.2.0 through 2.2.1 (latest) are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed.

 
2022-01-05
Medium
CVE-2022-21652

Vendor: Shopware
Software: Shopware
 

 
Shopware is an open source e-commerce software platform. In affected versions shopware would not invalidate a user session in the event of a password change. With version 5.7.7 the session validation was adjusted, so that sessions created prior to the latest password change of a customer account can't be used to login with said account. This also means, that upon a password change, all existing sessions for a given customer account are automatically considered invalid. There is no workaround for this issue.

 
2021-12-08
Medium
CVE-2020-27416

Vendor: Mahadiscom
Software: Mahavitaran
 

 
Mahavitaran android application 7.50 and prior are affected by account takeover due to improper OTP validation, allows remote attackers to control a users account.

 
2021-12-02
Medium
CVE-2021-43791

Vendor: Zulip
Software: Zulip
 

 
Zulip is an open source group chat application that combines real-time chat with threaded conversations. In affected versions expiration dates on the confirmation objects associated with email invitations were not enforced properly in the new account registration flow. A confirmation link takes a user to the check_prereg_key_and_redirect endpoint, before getting redirected to POST to /accounts/register/. The problem was that validation was happening in the check_prereg_key_and_redirect part and not in /accounts/register/ - meaning that one could submit an expired confirmation key and be able to register. The issue is fixed in Zulip 4.8. There are no known workarounds and users are advised to upgrade as soon as possible.

 
2021-11-30
Medium
CVE-2021-42545

Vendor: Business-dnasolutions
Software: Topease
 

 

 
Medium
CVE-2021-36330

Vendor: DELL
Software: Emc streamin...
 

 
Dell EMC Streaming Data Platform versions before 1.3 contain an Insufficient Session Expiration Vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to reuse old session artifacts to impersonate a legitimate user.

 
2021-11-16
Medium
CVE-2021-25940

Vendor: Arangodb
Software: Arangodb
 

 

 
Medium
CVE-2021-25985

Vendor: Darwin
Software: Factor
 

 

 

 


Copyright 2022, cxsecurity.com

 

Back to Top