CVE Vulnerabilities

CVE-2023-40695

Insufficient Session Expiration

Published: May 03, 2024 | Modified: Jan 07, 2025
CVSS 3.x
8.8
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
root.io minimus.io echohq.com

IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 264938.

Weakness

According to WASC, “Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.”

Affected Software

Name Vendor Start Version End Version
Cognos_controller Ibm 10.4.1 (including) 10.4.1 (including)
Cognos_controller Ibm 10.4.2 (including) 10.4.2 (including)
Cognos_controller Ibm 11.0.0 (including) 11.0.0 (including)

Potential Mitigations

References