Total
385 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-1666 | 1 Juniper | 1 Junos Os Evolved | 2024-11-21 | 6.6 Medium |
| The system console configuration option 'log-out-on-disconnect' In Juniper Networks Junos OS Evolved fails to log out an active CLI session when the console cable is disconnected. This could allow a malicious attacker with physical access to the console the ability to resume a previous interactive session and possibly gain administrative privileges. This issue affects all Juniper Networks Junos OS Evolved versions after 18.4R1-EVO, prior to 20.2R1-EVO. | ||||
| CVE-2020-17474 | 1 Zkteco | 3 Facedepot 7b, Facedepot 7b Firmware, Zkbiosecurity Server | 2024-11-21 | 9.8 Critical |
| A token-reuse vulnerability in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to create arbitrary new users, elevate users to administrators, delete users, and download user faces from the database. | ||||
| CVE-2020-17473 | 1 Zkteco | 3 Facedepot 7b, Facedepot 7b Firmware, Zkbiosecurity Server | 2024-11-21 | 5.9 Medium |
| Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server. | ||||
| CVE-2020-15950 | 1 Immuta | 1 Immuta | 2024-11-21 | 8.8 High |
| Immuta v2.8.2 is affected by improper session management: user sessions are not revoked upon logout. | ||||
| CVE-2020-15774 | 1 Gradle | 1 Enterprise | 2024-11-21 | 6.8 Medium |
| An issue was discovered in Gradle Enterprise 2018.5 - 2020.2.4. An attacker with physical access to the browser of a user who has recently logged in to Gradle Enterprise and since closed their browser could reopen their browser to access Gradle Enterprise as that user. | ||||
| CVE-2020-15269 | 1 Sparksolutions | 1 Spree | 2024-11-21 | 7.4 High |
| In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround without upgrading is described in the linked advisory. | ||||
| CVE-2020-15220 | 1 Combodo | 1 Itop | 2024-11-21 | 6.1 Medium |
| Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, two cookies are created for the same session, which leads to a possibility to steal user session. This is fixed in versions 2.7.2 and 3.0.0. | ||||
| CVE-2020-15218 | 1 Combodo | 1 Itop | 2024-11-21 | 6.8 Medium |
| Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, admin pages are cached, so that their content is visible after deconnection by using the browser back button. This is fixed in versions 2.7.2 and 3.0.0. | ||||
| CVE-2020-15074 | 1 Openvpn | 1 Openvpn Access Server | 2024-11-21 | 7.5 High |
| OpenVPN Access Server older than version 2.8.4 and version 2.9.5 generates new user authentication tokens instead of reusing exiting tokens on reconnect making it possible to circumvent the initial token expiry timestamp. | ||||
| CVE-2020-14247 | 1 Hcltechsw | 1 Onetest Performance | 2024-11-21 | 6.5 Medium |
| HCL OneTest Performance V9.5, V10.0, V10.1 contains an inadequate session timeout, which could allow an attacker time to guess and use a valid session ID. | ||||
| CVE-2020-13353 | 1 Gitlab | 1 Gitaly | 2024-11-21 | 2.5 Low |
| When importing repos via URL, one time use git credentials were persisted beyond the expected time window in Gitaly 1.79.0 or above. | ||||
| CVE-2020-13307 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 3.8 Low |
| A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was not revoking current user sessions when 2 factor authentication was activated allowing a malicious user to maintain their access. | ||||
| CVE-2020-13305 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 3.5 Low |
| A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was not invalidating project invitation link upon removing a user from a project. | ||||
| CVE-2020-13302 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 3.8 Low |
| A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Under certain conditions GitLab was not properly revoking user sessions and allowed a malicious user to access a user account with an old password. | ||||
| CVE-2020-13299 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 8.1 High |
| A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. The revocation feature was not revoking all session tokens and one could re-use it to obtain a valid session. | ||||
| CVE-2020-12690 | 2 Openstack, Redhat | 2 Keystone, Openstack | 2024-11-21 | 8.8 High |
| An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access. | ||||
| CVE-2020-11795 | 1 Jetbrains | 1 Space | 2024-11-21 | 7.5 High |
| In JetBrains Space through 2020-04-22, the session timeout period was configured improperly. | ||||
| CVE-2020-11688 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | 7.5 High |
| In JetBrains TeamCity before 2019.2.1, the application state is kept alive after a user ends his session. | ||||
| CVE-2020-10876 | 2 Mica, Oklok Project | 2 Fingerprint Bluetooth Padlock Fb50, Oklok | 2024-11-21 | 7.5 High |
| The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlock FB50 (2.3) does not correctly implement its timeout on the four-digit verification code that is required for resetting passwords, nor does it properly restrict excessive verification attempts. This allows an attacker to brute force the four-digit verification code in order to bypass email verification and change the password of a victim account. | ||||
| CVE-2020-10709 | 1 Redhat | 1 Ansible Tower | 2024-11-21 | 7.1 High |
| A security flaw was found in Ansible Tower when requesting an OAuth2 token with an OAuth2 application. Ansible Tower uses the token to provide authentication. This flaw allows an attacker to obtain a refresh token that does not expire. The original token granted to the user still has access to Ansible Tower, which allows any user that can gain access to the token to be fully authenticated to Ansible Tower. This flaw affects Ansible Tower versions before 3.6.4 and Ansible Tower versions before 3.5.6. | ||||