Vulnerabilities (CVE)

Filtered by CWE-613
Total 375 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-1003049 3 Jenkins, Oracle, Redhat 3 Jenkins, Communications Cloud Native Core Automated Test Suite, Openshift Container Platform 2024-11-21 6.8 MEDIUM 8.1 HIGH
Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches.
CVE-2019-0015 1 Juniper 22 Junos, Srx100, Srx110 and 19 more 2024-11-21 5.5 MEDIUM 5.4 MEDIUM
A vulnerability in the SRX Series Service Gateway allows deleted dynamic VPN users to establish dynamic VPN connections until the device is rebooted. A deleted dynamic VPN connection should be immediately disallowed from establishing new VPN connections. Due to an error in token caching, deleted users are allowed to connect once a previously successful dynamic VPN connection has been established. A reboot is required to clear the cached authentication token. Affected releases are Junos OS on SRX Series: 12.3X48 versions prior to 12.3X48-D75; 15.1X49 versions prior to 15.1X49-D150; 17.3 versions prior to 17.3R3; 17.4 versions prior to 17.4R2; 18.1 versions prior to 18.1R3; 18.2 versions prior to 18.2R2.
CVE-2018-7758 1 Schneider-electric 46 Micom P141, Micom P141 Firmware, Micom P142 and 43 more 2024-11-21 3.3 LOW 6.5 MEDIUM
A denial of service vulnerability exists in Schneider Electric's MiCOM Px4x (P540 range excluded) with legacy Ethernet board, MiCOM P540D Range with Legacy Ethernet Board, and MiCOM Px4x Rejuvenated could lose network communication in case of TCP/IP open requests on port 20000 (DNP3oE) if an older TCI/IP session is still open with identical IP address and port number.
CVE-2018-6634 3 Canonical, Microsoft, Parsecgaming 3 Ubuntu Linux, Windows, Parsec 2024-11-21 7.5 HIGH 9.8 CRITICAL
A vulnerability in Parsec Windows 142-0 and Parsec 'Linux Ubuntu 16.04 LTS Desktop' Build 142-1 allows unauthorized users to maintain access to an account.
CVE-2018-5438 1 Philips 1 Intellispace Cardiovascular 2024-11-21 3.3 LOW 6.3 MEDIUM
Philips ISCV application prior to version 2.3.0 has an insufficient session expiration vulnerability where an attacker could reuse the session of a previously logged in user. This vulnerability exists when using ISCV together with an Electronic Medical Record (EMR) system, where ISCV is in KIOSK mode for multiple users and using Windows authentication. This may allow an attacker to gain unauthorized access to patient health information and potentially modify this information.
CVE-2018-2451 1 Sap 1 Hana Extended Application Services 2024-11-21 6.0 MEDIUM 6.6 MEDIUM
XS Command-Line Interface (CLI) user sessions with the SAP HANA Extended Application Services (XS), version 1, advanced server may have an unintentional prolonged period of validity. Consequently, a platform user could access controller resources via active CLI session even after corresponding authorizations have been revoked meanwhile by an administrator user. Similarly, an attacker who managed to gain access to the platform user's session might misuse the session token even after the session has been closed.
CVE-2018-21018 1 Joinmastodon 1 Mastodon 2024-11-21 7.5 HIGH 9.8 CRITICAL
Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.
CVE-2018-1195 1 Cloudfoundry 3 Capi-release, Cf-deployment, Cf-release 2024-11-21 6.5 MEDIUM 8.8 HIGH
In Cloud Controller versions prior to 1.46.0, cf-deployment versions prior to 1.3.0, and cf-release versions prior to 283, Cloud Controller accepts refresh tokens for authentication where access tokens are expected. This exposes a vulnerability where a refresh token that would otherwise be insufficient to obtain an access token, either due to lack of client credentials or revocation, would allow authentication.
CVE-2018-14345 1 Sddm Project 1 Sddm 2024-11-21 6.0 MEDIUM 7.5 HIGH
An issue was discovered in SDDM through 0.17.0. If configured with ReuseSession=true, the password is not checked for users with an already existing session. Any user with access to the system D-Bus can therefore unlock any graphical session. This is related to daemon/Display.cpp and helper/backend/PamBackend.cpp.
CVE-2018-11386 2 Debian, Sensiolabs 2 Debian Linux, Symfony 2024-11-21 4.3 MEDIUM 5.9 MEDIUM
An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources.
CVE-2018-10990 1 Commscope 2 Arris Tg1682g, Arris Tg1682g Firmware 2024-11-21 7.5 HIGH 8.0 HIGH
On Arris Touchstone Telephony Gateway TG1682G 9.1.103J6 devices, a logout action does not immediately destroy all state on the device related to the validity of the "credential" cookie, which might make it easier for attackers to obtain access at a later time (e.g., "at least for a few minutes"). NOTE: there is no documentation stating that the web UI's logout feature was supposed to do anything beyond removing the cookie from one instance of a web browser; a client-side logout action is often not intended to address cases where a person has made a copy of a cookie outside of a browser.
CVE-2018-0152 1 Cisco 1 Ios Xe 2024-11-21 9.0 HIGH 8.8 HIGH
A vulnerability in the web-based user interface (web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to gain elevated privileges on an affected device. The vulnerability exists because the affected software does not reset the privilege level for each web UI session. An attacker who has valid credentials for an affected device could exploit this vulnerability by remotely accessing a VTY line to the device. A successful exploit could allow the attacker to access an affected device with the privileges of the user who previously logged in to the web UI. This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS XE Software, if the HTTP Server feature is enabled and authentication, authorization, and accounting (AAA) authorization is not configured for EXEC sessions. The default state of the HTTP Server feature is version-dependent. This vulnerability was introduced in Cisco IOS XE Software Release 16.1.1. Cisco Bug IDs: CSCvf71769.
CVE-2017-3966 1 Mcafee 1 Network Security Manager 2024-11-21 6.5 MEDIUM 6.4 MEDIUM
Exploitation of session variables, resource IDs and other trusted credentials vulnerability in the web interface in McAfee Network Security Management (NSM) before 8.2.7.42.2 allows remote attackers to exploit or harm a user's browser via reusing the exposed session token in the application URL.
CVE-2017-1693 1 Ibm 1 Integration Bus 2024-11-21 6.8 MEDIUM 5.6 MEDIUM
IBM Integration Bus 9.0 and 10.0 could allow an attacker that has captured a valid session id to hijack another users session during a small timeframe before the session times out. IBM X-Force ID: 134164.
CVE-2017-18905 1 Mattermost 1 Mattermost Server 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session invalidation was mishandled.
CVE-2017-15653 1 Asus 1 Asuswrt 2024-11-21 6.5 MEDIUM 8.8 HIGH
Improper administrator IP validation after his login in the HTTPd server in all current versions (<= 3.0.0.4.380.7743) of Asus asuswrt allows an unauthorized user to execute any action knowing administrator session token by using a specific User-Agent string.
CVE-2016-20007 1 Rest\/json Project 1 Rest\/json 2024-11-21 5.0 MEDIUM 7.5 HIGH
The REST/JSON project 7.x-1.x for Drupal allows session name guessing, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.
CVE-2016-11058 1 Netgear 1 Genie 2024-11-21 5.0 MEDIUM 7.5 HIGH
The NETGEAR genie application before 2.4.34 for Android is affected by mishandling of hard-coded API keys and session IDs.
CVE-2016-11014 1 Netgear 2 Jnr1010, Jnr1010 Firmware 2024-11-21 7.5 HIGH 9.8 CRITICAL
NETGEAR JNR1010 devices before 1.0.0.32 have Incorrect Access Control because the ok value of the auth cookie is a special case.
CVE-2016-0234 1 Ibm 1 Openpages Grc Platform 2024-11-21 2.1 LOW 4.0 MEDIUM
IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 could allow a local user to obtain sensitive information when a previous user has logged out of the system but neglected to close their browser. IBM X-Force ID: 110303.