Total
331 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-20903 | 1 Cloudfoundry | 1 User Account And Authentication | 2025-02-19 | N/A | 4.3 MEDIUM |
| This disclosure regards a vulnerability related to UAA refresh tokens and external identity providers.Assuming that an external identity provider is linked to the UAA, a refresh token is issued to a client on behalf of a user from that identity provider, the administrator of the UAA deactivates the identity provider from the UAA. It is expected that the UAA would reject a refresh token during a refresh token grant, but it does not (hence the vulnerability). It will continue to issue access tokens to request presenting such refresh tokens, as if the identity provider was still active. As a result, clients with refresh tokens issued through the deactivated identity provider would still have access to Cloud Foundry resources until their refresh token expires (which defaults to 30 days). | |||||
| CVE-2022-24895 | 1 Sensiolabs | 1 Symfony | 2025-02-13 | N/A | 8.8 HIGH |
| Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. This issue has been fixed in the 4.4 branch. | |||||
| CVE-2025-24973 | 2025-02-11 | N/A | N/A | ||
| Concorde, formerly know as Nexkey, is a fork of the federated microblogging platform Misskey. Prior to version 12.25Q1.1, due to an improper implementation of the logout process, authentication credentials remain in cookies even after a user has explicitly logged out, which may allow an attacker to steal authentication tokens. This could have devastating consequences if a user with admin privileges is (or was) using a shared device. Users who have logged in on a shared device should go to Settings > Security and regenerate their login tokens. Version 12.25Q1.1 fixes the issue. As a workaround, clear cookies and site data in the browser after logging out. | |||||
| CVE-2024-45386 | 2025-02-11 | N/A | 8.8 HIGH | ||
| A vulnerability has been identified in SIMATIC PCS neo V4.0 (All versions), SIMATIC PCS neo V4.1 (All versions < V4.1 Update 2), SIMATIC PCS neo V5.0 (All versions < V5.0 Update 1), SIMOCODE ES V19 (All versions < V19 Update 1), SIRIUS Safety ES V19 (TIA Portal) (All versions < V19 Update 1), SIRIUS Soft Starter ES V19 (TIA Portal) (All versions < V19 Update 1), TIA Administrator (All versions < V3.0.4). Affected products do not correctly invalidate user sessions upon user logout. This could allow a remote unauthenticated attacker, who has obtained the session token by other means, to re-use a legitimate user's session even after logout. | |||||
| CVE-2022-37186 | 1 Lemonldap-ng | 1 Lemonldap\ | 2025-02-06 | N/A | 5.9 MEDIUM |
| In LemonLDAP::NG before 2.0.15. some sessions are not deleted when they are supposed to be deleted according to the timeoutActivity setting. This can occur when there are at least two servers, and a session is manually removed before the time at which it would have been removed automatically. | |||||
| CVE-2023-30403 | 1 Aigital | 2 Wireless-n Repeater Mini Router, Wireless-n Repeater Mini Router Firmware | 2025-01-30 | N/A | 7.5 HIGH |
| An issue in the time-based authentication mechanism of Aigital Aigital Wireless-N Repeater Mini_Router v0.131229 allows attackers to bypass login by connecting to the web app after a successful attempt by a legitimate user. | |||||
| CVE-2020-4914 | 1 Ibm | 1 Cloud Pak System | 2025-01-29 | N/A | 4.2 MEDIUM |
| IBM Cloud Pak System Suite 2.3.3.0 through 2.3.3.5 does not invalidate session after logout which could allow a local user to impersonate another user on the system. IBM X-Force ID: 191290. | |||||
| CVE-2023-33005 | 1 Jenkins | 1 Wso2 Oauth | 2025-01-23 | N/A | 5.4 MEDIUM |
| Jenkins WSO2 Oauth Plugin 1.0 and earlier does not invalidate the previous session on login. | |||||
| CVE-2024-30262 | 1 Contao | 1 Contao | 2025-01-09 | N/A | 7.1 HIGH |
| Contao is an open source content management system. Prior to version 4.13.40, when a frontend member changes their password in the personal data or the password lost module, the corresponding remember-me tokens are not removed. If someone compromises an account and is able to get a remember-me token, changing the password would not be enough to reclaim control over the account. Version 4.13.40 contains a fix for the issue. As a workaround, disable "Allow auto login" in the login module. | |||||
| CVE-2024-34709 | 1 Monospace | 1 Directus | 2025-01-03 | N/A | 5.4 MEDIUM |
| Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.0, session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The `directus_session` gets destroyed and the cookie gets deleted but if the cookie value is captured, it will still work for the entire expiry time which is set to 1 day by default. Making it effectively a long lived unrevokable stateless token instead of the stateful session token it was meant to be. This vulnerability is fixed in 10.11.0. | |||||
| CVE-2024-56351 | 1 Jetbrains | 1 Teamcity | 2025-01-02 | N/A | 8.8 HIGH |
| In JetBrains TeamCity before 2024.12 access tokens were not revoked after removing user roles | |||||
| CVE-2024-56413 | 2025-01-02 | N/A | N/A | ||
| Missing session invalidation after user deletion. The following products are affected: Acronis Cyber Protect 16 (Windows) before build 39169. | |||||
| CVE-2024-12667 | 1 Invoiceplane | 1 Invoiceplane | 2024-12-19 | N/A | 5.9 MEDIUM |
| A vulnerability was found in InvoicePlane up to 1.6.1 and classified as problematic. Affected by this issue is some unknown functionality of the file /invoices/view. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.6.2-beta-1 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. | |||||
| CVE-2024-25619 | 1 Joinmastodon | 1 Mastodon | 2024-12-18 | N/A | 4.3 MEDIUM |
| Mastodon is a free, open-source social network server based on ActivityPub. When an OAuth Application is destroyed, the streaming server wasn't being informed that the Access Tokens had also been destroyed, this could have posed security risks to users by allowing an application to continue listening to streaming after the application had been destroyed. Essentially this comes down to the fact that when Doorkeeper sets up the relationship between Applications and Access Tokens, it uses a `dependent: delete_all` configuration, which means the `after_commit` callback setup on `AccessTokenExtension` didn't actually fire, since `delete_all` doesn't trigger ActiveRecord callbacks. To mitigate, we need to add a `before_destroy` callback to `ApplicationExtension` which announces to streaming that all the Application's Access Tokens are being "killed". Impact should be negligible given the affected application had to be owned by the user. None the less this issue has been addressed in versions 4.2.6, 4.1.14, 4.0.14, and 3.5.18. Users are advised to upgrade. There are no known workaround for this vulnerability. | |||||
| CVE-2024-25628 | 1 Alf | 1 Alf | 2024-12-18 | N/A | 7.6 HIGH |
| Alf.io is a free and open source event attendance management system. In versions prior to 2.0-M4-2402 users can access the admin area even after being invalidated/deleted. This issue has been addressed in version 2.0-M4-2402. All users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-0008 | 1 Paloaltonetworks | 1 Pan-os | 2024-12-09 | N/A | 8.8 HIGH |
| Web sessions in the management interface in Palo Alto Networks PAN-OS software do not expire in certain situations, making it susceptible to unauthorized access. | |||||
| CVE-2024-35160 | 1 Ibm | 2 Big Sql, Watson Query With Cloud Pak For Data | 2024-11-26 | N/A | 6.5 MEDIUM |
| IBM Watson Query on Cloud Pak for Data 1.8, 2.0, 2.1, 2.2 and IBM Db2 Big SQL on Cloud Pak for Data 7.3, 7.4, 7.5, and 7.6 could allow an authenticated user to obtain sensitive information due to insufficient session expiration. | |||||
| CVE-2024-45187 | 2024-11-25 | N/A | N/A | ||
| Guest users in the Mage AI framework that remain logged in after their accounts are deleted, are mistakenly given high privileges and specifically given access to remotely execute arbitrary code through the Mage AI terminal server | |||||
| CVE-2024-11208 | 1 Apereo | 1 Central Authentication Service | 2024-11-19 | N/A | 8.1 HIGH |
| A vulnerability was found in Apereo CAS 6.6 and classified as problematic. Affected by this issue is some unknown functionality of the file /login?service. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-46892 | 1 Siemens | 1 Sinec Ins | 2024-11-13 | N/A | 8.1 HIGH |
| A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). The affected application does not properly invalidate sessions when the associated user is deleted or disabled or their permissions are modified. This could allow an authenticated attacker to continue performing malicious actions even after their user account has been disabled. | |||||