Monthly
Django 6.0 before 6.0.5 and 5.2 before 5.2.14 fail to vary response headers on session cookies when SESSION_SAVE_EVERY_REQUEST is enabled but the session is unmodified, allowing remote attackers with user interaction to steal session tokens from cached public pages. The vulnerability affects server configurations that cache responses aggressively while maintaining per-request session handling, exposing authenticated users to session hijacking after visiting pages served from cache.
Insecure session management in SAP Business Objects Business Intelligence Platform allows unauthenticated attackers to obtain and reuse valid session tokens, enabling unauthorized access to victim sessions with moderate complexity. An attacker exploiting this vulnerability could access or modify information within the compromised session's scope, affecting confidentiality and integrity. The attack requires user interaction (UI:R) and high attack complexity (AC:H), limiting real-world exploitation but still warranting prioritized remediation for organizations running affected BI Platform versions.
HCL AION is affected by a Permanent Cookie Containing Sensitive Session Information vulnerability. It is storing sensitive session data in persistent cookies may increase the risk of unauthorized access if the cookies are intercepted or compromised. [CVSS 3.1 LOW]
Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Cookie Returned in Response Body OVE-20230524-0017. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Django 6.0 before 6.0.5 and 5.2 before 5.2.14 fail to vary response headers on session cookies when SESSION_SAVE_EVERY_REQUEST is enabled but the session is unmodified, allowing remote attackers with user interaction to steal session tokens from cached public pages. The vulnerability affects server configurations that cache responses aggressively while maintaining per-request session handling, exposing authenticated users to session hijacking after visiting pages served from cache.
Insecure session management in SAP Business Objects Business Intelligence Platform allows unauthenticated attackers to obtain and reuse valid session tokens, enabling unauthorized access to victim sessions with moderate complexity. An attacker exploiting this vulnerability could access or modify information within the compromised session's scope, affecting confidentiality and integrity. The attack requires user interaction (UI:R) and high attack complexity (AC:H), limiting real-world exploitation but still warranting prioritized remediation for organizations running affected BI Platform versions.
HCL AION is affected by a Permanent Cookie Containing Sensitive Session Information vulnerability. It is storing sensitive session data in persistent cookies may increase the risk of unauthorized access if the cookies are intercepted or compromised. [CVSS 3.1 LOW]
Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Cookie Returned in Response Body OVE-20230524-0017. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.