Total
370 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-3215 | 1 Milwaukee | 1 One-key | 2024-11-21 | N/A |
| The Milwaukee ONE-KEY Android mobile application uses bearer tokens with an expiration of one year. This bearer token, in combination with a user_id can be used to perform user actions. | ||||
| CVE-2017-1693 | 1 Ibm | 1 Integration Bus | 2024-11-21 | N/A |
| IBM Integration Bus 9.0 and 10.0 could allow an attacker that has captured a valid session id to hijack another users session during a small timeframe before the session times out. IBM X-Force ID: 134164. | ||||
| CVE-2017-18905 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 5.3 Medium |
| An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session invalidation was mishandled. | ||||
| CVE-2017-15653 | 1 Asus | 1 Asuswrt | 2024-11-21 | N/A |
| Improper administrator IP validation after his login in the HTTPd server in all current versions (<= 3.0.0.4.380.7743) of Asus asuswrt allows an unauthorized user to execute any action knowing administrator session token by using a specific User-Agent string. | ||||
| CVE-2017-14007 | 1 Prominent | 2 Multiflex M10a Controller, Multiflex M10a Controller Firmware | 2024-11-21 | N/A |
| An Insufficient Session Expiration issue was discovered in ProMinent MultiFLEX M10a Controller web interface. The user's session is available for an extended period beyond the last activity, allowing an attacker to reuse an old session for authorization. | ||||
| CVE-2017-12867 | 1 Simplesamlphp | 1 Simplesamlphp | 2024-11-21 | N/A |
| The SimpleSAML_Auth_TimeLimitedToken class in SimpleSAMLphp 1.14.14 and earlier allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset. | ||||
| CVE-2017-12191 | 1 Redhat | 2 Cloudforms, Cloudforms Managementengine | 2024-11-21 | N/A |
| A flaw was found in the CloudForms account configuration when using VMware. By default, a shared account is used that has privileged access to VMRC (VMWare Remote Console) functions that may not be appropriate for users of CloudForms (and thus this account). An attacker could use this vulnerability to view and make changes to settings in the VMRC and virtual machines controlled by it that they should not have access to. | ||||
| CVE-2017-12159 | 2 Keycloak, Redhat | 5 Keycloak, Enterprise Linux Server, Jboss Single Sign On and 2 more | 2024-11-21 | N/A |
| It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks. | ||||
| CVE-2017-11667 | 1 Openproject | 1 Openproject | 2024-11-21 | N/A |
| OpenProject before 6.1.6 and 7.x before 7.0.3 mishandles session expiry, which allows remote attackers to perform APIv3 requests indefinitely by leveraging a hijacked session. | ||||
| CVE-2017-1000136 | 1 Mahara | 1 Mahara | 2024-11-21 | N/A |
| Mahara 1.8 before 1.8.6 and 1.9 before 1.9.4 and 1.10 before 1.10.1 and 15.04 before 15.04.0 are vulnerable to old sessions not being invalidated after a password change. | ||||
| CVE-2017-1000135 | 1 Mahara | 1 Mahara | 2024-11-21 | N/A |
| Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable as logged-in users can stay logged in after the institution they belong to is suspended. | ||||
| CVE-2017-1000131 | 1 Mahara | 1 Mahara | 2024-11-21 | N/A |
| Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before 16.04.2 are vulnerable to users staying logged in to their Mahara account even when they have been logged out of Moodle (when using MNet) as Mahara did not properly implement one of the MNet SSO API functions. | ||||
| CVE-2016-8712 | 1 Moxa | 2 Awk-3131a, Awk-3131a Firmware | 2024-11-21 | 8.1 High |
| An exploitable nonce reuse vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless AP running firmware 1.1. The device uses one nonce for all session authentication requests and only changes the nonce if the web application has been idle for 300 seconds. | ||||
| CVE-2016-6545 | 1 Ieasytec | 1 Itrackeasy | 2024-11-21 | N/A |
| Session cookies are not used for maintaining valid sessions in iTrack Easy. The user's password is passed as a POST parameter over HTTPS using a base64 encoded passwd field on every request. In this implementation, sessions can only be terminated when the user changes the associated password. | ||||
| CVE-2016-5069 | 1 Sierrawireless | 2 Aleos Firmware, Gx 440 | 2024-11-21 | N/A |
| Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 use guessable session tokens, which are in the URL. | ||||
| CVE-2016-20007 | 1 Rest\/json Project | 1 Rest\/json | 2024-11-21 | 7.5 High |
| The REST/JSON project 7.x-1.x for Drupal allows session name guessing, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy. | ||||
| CVE-2016-11058 | 1 Netgear | 1 Genie | 2024-11-21 | 7.5 High |
| The NETGEAR genie application before 2.4.34 for Android is affected by mishandling of hard-coded API keys and session IDs. | ||||
| CVE-2016-11014 | 1 Netgear | 2 Jnr1010, Jnr1010 Firmware | 2024-11-21 | 9.8 Critical |
| NETGEAR JNR1010 devices before 1.0.0.32 have Incorrect Access Control because the ok value of the auth cookie is a special case. | ||||
| CVE-2016-0721 | 3 Clusterlabs, Fedoraproject, Redhat | 3 Pcs, Fedora, Enterprise Linux | 2024-11-21 | N/A |
| Session fixation vulnerability in pcsd in pcs before 0.9.157. | ||||
| CVE-2016-0234 | 1 Ibm | 1 Openpages Grc Platform | 2024-11-21 | N/A |
| IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 could allow a local user to obtain sensitive information when a previous user has logged out of the system but neglected to close their browser. IBM X-Force ID: 110303. | ||||