AppSec concerns: UUID generation

During static analysis, one of the things the application security team checks for is strong random number generation for security sensitive contexts. We see weaknesses in this space quite often for temporary passwords and session identifiers, but an increasingly common variant is for universally...

CVE-2020-19527

creationtimestamp| type| source ---|---|--- 2020-12-11 02:34:35+00:00| seen| https://t.me/cibsecurity/19640 2020-12-11 02:37:38+00:00| seen| https://t.me/cibsecurity/19660 2020-12-11 03:25:30+00:00| seen| https://t.me/cibsecurity/19680 2020-12-11 04:25:21+00:00| seen| https://t.me/cibsecurity/197...

CVE-2020-26228

TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 user session identifiers were stored in cleartext - without processing with additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in...

Sql injection

TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 user session identifiers were stored in cleartext - without processing with additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in...

CVE-2020-26228

TYPO3 prior to versions 9.5.23 and 10.4.10 stores user session identifiers in cleartext (no extra cryptographic hashing). The issue cannot be exploited directly and requires a chained attack (e.g., SQL injection in another component). Affected software is TYPO3 CMS (PHP-based). The remediation is...

PT-2020-16357 · Typo3 · Typo3

Name of the Vulnerable Software and Affected Versions: TYPO3 versions prior to 9.5.23 TYPO3 versions prior to 10.4.10 Description: The issue concerns user session identifiers being stored in cleartext without additional cryptographic hashing algorithms. This cannot be exploited directly and occur...

TYPO3 Encryption Problem Vulnerability (CNVD-2020-66591)

TYPO3 is a free and open source content management system framework CMS/CMF of the Swiss TYPO3 Typo3 Association. Typo3 is vulnerable to a cryptographic issue that stems from storing user session identifiers in plaintext. The vulnerability can be exploited in combination with other issues to...

TYPO3 加密问题漏洞

TYPO3 is a free and open source content management system framework CMS/CMF of the Swiss TYPO3 Typo3 Association. Typo3 is vulnerable to a cryptographic issue that stems from storing user session identifiers in plaintext. The vulnerability can be exploited in combination with other issues to...

Microweber Session Expires Improperly Vulnerability

Microweber is an online store management system that provides drag and drop functionality from the Microweber community in the United States. The system includes modules for adding products, images, and more. A security vulnerability exists in Microweber. An attacker can exploit the vulnerability...

wildfly-elytron: session fixation when using FORM authentication

A flaw was found in WildFly Elytron version 1.11.3.Final and before. When using WildFly Elytron FORM authentication with a session ID in the URL, an attacker could perform a session fixation attack. The highest threat from this vulnerability is to data confidentiality and integrity as well as...

CVE-2020-10945

Centreon before 19.10.7 exposes Session IDs in server responses...

UBUNTU-CVE-2020-10945

Centreon before 19.10.7 exposes Session IDs in server responses...

CVE-2020-9502

Some Dahua products with Build time before December 2019 have Session ID predictable vulnerabilities. During normal user access, an attacker can use the predicted Session ID to construct a data packet to attack the device...

Security Bulletin: IBM Security Information Queue does not invalidate sessions after logout (CVE-2020-4291)

Summary IBM Security Information Queue ISIQ session identifiers are not properly invalidated upon user logout from ISIQ's web UI. This create opportunities for an attacker to hijack a user session token. As of v1.0.6, ISIQ immediately invalidates the session token when a user logs out...

UBUNTU-CVE-2020-1773

An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, password reset tokens and automatically generated passwords. This issue affects OTRS Community Edition:...

PT-2020-15050 · Otrs +2 · Otrs +3

Name of the Vulnerable Software and Affected Versions: OTRS Community Edition versions 5.0.41 and prior OTRS Community Edition versions 6.0.26 and prior OTRS versions 7.0.15 and prior Description: An attacker with the ability to generate session IDs or password reset tokens may be able to predict...

jenkins: Exposed session identifiers on user detail object in the whoAmI diagnostic page

Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session identifiers on a user's detail object in the whoAmI diagnostic page...

jenkins: Exposed session identifiers on user detail object in the whoAmI diagnostic page

Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session identifiers on a user's detail object in the whoAmI diagnostic page...

DEBIAN-CVE-2014-2875

The session.lua library in CGILua 5.2 alpha 1 and 5.2 alpha 2 uses weak session IDs generated based on OS time, which allows remote attackers to hijack arbitrary sessions via a brute force attack. NOTE: CVE-2014-10399 and CVE-2014-10400 were SPLIT from this ID...

CVE-2020-2103

Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session identifiers on a user's detail object in the whoAmI diagnostic page...