CVE-2022-35728

CRITICAL Year: 2022
CVSS v3 Score
9.8
Critical
Weakness Type
CWE-613
View all →

Vulnerability Description

In BIG-IP Versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and all versions of 13.1.x, and BIG-IQ version 8.x before 8.2.0 and all versions of 7.x, an authenticated user's iControl REST token may remain valid for a limited time after logging out from the Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Related Vulnerabilities

CVE-2014-2595

CRITICAL
CVSS:9.8(Critical)

Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.

CWE-6132014

CVE-2015-5171

CRITICAL
CVSS:9.8(Critical)

The password change functionality in Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified imp...

CWE-6132015

CVE-2016-11014

CRITICAL
CVSS:9.8(Critical)

NETGEAR JNR1010 devices before 1.0.0.32 have Incorrect Access Control because the ok value of the auth cookie is a special case.

CWE-6132016

CVE-2016-5069

CRITICAL
CVSS:9.8(Critical)

Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 use guessable session tokens, which are in the URL.

CWE-6132016

CVE-2016-6545

CRITICAL
CVSS:9.8(Critical)

Session cookies are not used for maintaining valid sessions in iTrack Easy. The user's password is passed as a POST parameter over HTTPS using a base64 encoded passwd field on every request. In this i...

CWE-6132016

CVE-2018-21018

CRITICAL
CVSS:9.8(Critical)

Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.

CWE-6132018