Total
370 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-4395 | 1 Ibm | 1 Security Access Manager Appliance | 2024-11-21 | 5.4 Medium |
| IBM Security Access Manager Appliance 9.0.7 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 179358. | ||||
| CVE-2020-4284 | 1 Ibm | 1 Security Information Queue | 2024-11-21 | 5.3 Medium |
| IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could disclose sensitive information to an unauthorized user due to insufficient timeout functionality in the Web UI. IBM X-Force ID: 176207. | ||||
| CVE-2020-4253 | 1 Ibm | 1 Content Navigator | 2024-11-21 | 8.8 High |
| IBM Content Navigator 3.0CD does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 175559. | ||||
| CVE-2020-3188 | 1 Cisco | 25 Asa 5505, Asa 5505 Firmware, Asa 5510 and 22 more | 2024-11-21 | 5.3 Medium |
| A vulnerability in how Cisco Firepower Threat Defense (FTD) Software handles session timeouts for management connections could allow an unauthenticated, remote attacker to cause a buildup of remote management connections to an affected device, which could result in a denial of service (DoS) condition. The vulnerability exists because the default session timeout period for specific to-the-box remote management connections is too long. An attacker could exploit this vulnerability by sending a large and sustained number of crafted remote management connections to an affected device, resulting in a buildup of those connections over time. A successful exploit could allow the attacker to cause the remote management interface or Cisco Firepower Device Manager (FDM) to stop responding and cause other management functions to go offline, resulting in a DoS condition. The user traffic that is flowing through the device would not be affected, and the DoS condition would be isolated to remote management only. | ||||
| CVE-2020-35358 | 1 Domainmod | 1 Domainmod | 2024-11-21 | 9.8 Critical |
| DomainMOD domainmod-v4.15.0 is affected by an insufficient session expiration vulnerability. On changing a password, both sessions using the changed password and old sessions in any other browser or device do not expire and remain active. Such flaws frequently give attackers unauthorized access to some system data or functionality. | ||||
| CVE-2020-29667 | 1 Lanatmservice | 1 M3 Atm Monitoring System | 2024-11-21 | 9.8 Critical |
| In Lan ATMService M3 ATM Monitoring System 6.1.0, a remote attacker able to use a default cookie value, such as PHPSESSID=LANIT-IMANAGER, can achieve control over the system because of Insufficient Session Expiration. | ||||
| CVE-2020-29012 | 1 Fortinet | 1 Fortisandbox | 2024-11-21 | 5.6 Medium |
| An insufficient session expiration vulnerability in FortiSandbox versions 3.2.1 and below may allow an attacker to reuse the unexpired admin user session IDs to gain information about other users configured on the device, should the attacker be able to obtain that session ID (via other, hypothetical attacks) | ||||
| CVE-2020-27739 | 1 Citadel | 1 Webcit | 2024-11-21 | 9.8 Critical |
| A Weak Session Management vulnerability in Citadel WebCit through 926 allows unauthenticated remote attackers to hijack recently logged-in users' sessions. NOTE: this was reported to the vendor in a publicly archived "Multiple Security Vulnerabilities in WebCit 926" thread. | ||||
| CVE-2020-27422 | 1 Anuko | 1 Time Tracker | 2024-11-21 | 9.8 Critical |
| In Anuko Time Tracker v1.19.23.5311, the password reset link emailed to the user doesn't expire once used, allowing an attacker to use the same link to takeover the account. | ||||
| CVE-2020-27416 | 1 Mahadiscom | 1 Mahavitaran | 2024-11-21 | 9.8 Critical |
| Mahavitaran android application 7.50 and prior are affected by account takeover due to improper OTP validation, allows remote attackers to control a users account. | ||||
| CVE-2020-25374 | 1 Cyberark | 1 Privileged Session Manager | 2024-11-21 | 2.6 Low |
| CyberArk Privileged Session Manager (PSM) 10.9.0.15 allows attackers to discover internal pathnames by reading an error popup message after two hours of idle time. | ||||
| CVE-2020-24713 | 1 Getgophish | 1 Gophish | 2024-11-21 | 7.5 High |
| Gophish through 0.10.1 does not invalidate the gophish cookie upon logout. | ||||
| CVE-2020-23140 | 1 Microweber | 1 Microweber | 2024-11-21 | 8.1 High |
| Microweber 1.1.18 is affected by insufficient session expiration. When changing passwords, both sessions for when a user changes email and old sessions in any other browser or device, the session does not expire and remains active. | ||||
| CVE-2020-23136 | 1 Microweber | 1 Microweber | 2024-11-21 | 5.5 Medium |
| Microweber v1.1.18 is affected by no session expiry after log-out. | ||||
| CVE-2020-1776 | 1 Otrs | 1 Otrs | 2024-11-21 | 3.5 Low |
| When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28 and prior versions. OTRS: 7.0.18 and prior versions, 8.0.4. and prior versions. | ||||
| CVE-2020-1768 | 1 Otrs | 1 Otrs | 2024-11-21 | 5.4 Medium |
| The external frontend system uses numerous background calls to the backend. Each background request is treated as user activity so the SessionMaxIdleTime will not be reached. This issue affects: OTRS 7.0.x version 7.0.14 and prior versions. | ||||
| CVE-2020-1762 | 2 Kiali, Redhat | 3 Kiali, Openshift Service Mesh, Service Mesh | 2024-11-21 | 7 High |
| An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration. | ||||
| CVE-2020-1724 | 1 Redhat | 5 Jboss Single Sign On, Keycloak, Openshift Application Runtimes and 2 more | 2024-11-21 | 4.3 Medium |
| A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section. | ||||
| CVE-2020-1666 | 1 Juniper | 1 Junos Os Evolved | 2024-11-21 | 6.6 Medium |
| The system console configuration option 'log-out-on-disconnect' In Juniper Networks Junos OS Evolved fails to log out an active CLI session when the console cable is disconnected. This could allow a malicious attacker with physical access to the console the ability to resume a previous interactive session and possibly gain administrative privileges. This issue affects all Juniper Networks Junos OS Evolved versions after 18.4R1-EVO, prior to 20.2R1-EVO. | ||||
| CVE-2020-17474 | 1 Zkteco | 3 Facedepot 7b, Facedepot 7b Firmware, Zkbiosecurity Server | 2024-11-21 | 9.8 Critical |
| A token-reuse vulnerability in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to create arbitrary new users, elevate users to administrators, delete users, and download user faces from the database. | ||||