ReportizFlow
Filtered by vendor
Subscriptions
Total
413 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-55162 | 2025-09-03 | 6.3 Medium | ||
| Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In versions below 1.32.10 and 1.33.0 through 1.33.6, 1.34.0 through 1.34.4 and 1.35.0, insufficient Session Expiration in the Envoy OAuth2 filter leads to failed logout operations. When configured with __Secure- or __Host- prefixed cookie names, the filter fails to append the required Secure attribute to the Set-Cookie header during deletion. Modern browsers ignore this invalid request, causing the session cookie to persist. This allows a user to remain logged in after they believe they have logged out, creating a session hijacking risk on shared computers. The current implementation iterates through the configured cookie names to generate deletion headers but does not check for these prefixes. This failure to properly construct the deletion header means the user's session cookies are never removed by the browser, leaving the session active and allowing the next user of the same browser to gain unauthorized access to the original user's account and data. This is fixed in versions 1.32.10, 1.33.7, 1.34.5 and 1.35.1. | ||||
| CVE-2024-13280 | 1 Persistent Login Project | 1 Persistent Login | 2025-09-02 | 9.8 Critical |
| Insufficient Session Expiration vulnerability in Drupal Persistent Login allows Forceful Browsing.This issue affects Persistent Login: from 0.0.0 before 1.8.0, from 2.0.* before 2.2.2. | ||||
| CVE-2025-4754 | 1 Team-alembic | 1 Ash Authentication Phoenix | 2025-09-02 | N/A |
| Insufficient Session Expiration vulnerability in ash-project ash_authentication_phoenix allows Session Hijacking. This vulnerability is associated with program files lib/ash_authentication_phoenix/controller.ex. This issue affects ash_authentication_phoenix until 2.10.0. | ||||
| CVE-2025-4643 | 1 Payloadcms | 1 Payload | 2025-09-02 | N/A |
| Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (which is by default set to 2 hours, but can be changed). This issue has been fixed in version 3.44.0 of Payload. | ||||
| CVE-2024-25051 | 3 Ibm, Linux, Microsoft | 3 Jazz Reporting Service, Linux Kernel, Windows | 2025-09-01 | 6.6 Medium |
| IBM Jazz Reporting Service 7.0.2 and 7.0.3 does not invalidate session after logout which could allow an authenticated privileged user to impersonate another user on the system. | ||||
| CVE-2024-49825 | 1 Ibm | 2 Robotic Process Automation, Robotic Process Automation For Cloud Pak | 2025-09-01 | 6.3 Medium |
| IBM Robotic Process Automation and Robotic Process Automation for Cloud Pak 21.0.0 through 21.0.7.20 and 23.0.0 through 23.0.20 does not invalidate session after a logout which could allow an authenticated user to impersonate another user on the system. | ||||
| CVE-2024-45651 | 3 Ibm, Linux, Microsoft | 4 Aix, Sterling Connect Direct Web Services, Linux Kernel and 1 more | 2025-09-01 | 6.3 Medium |
| IBM Sterling Connect:Direct Web Services 6.1.0, 6.2.0, and 6.3.0 does not invalidate session after a browser closure which could allow an authenticated user to impersonate another user on the system. | ||||
| CVE-2024-22351 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2025-09-01 | 6.3 Medium |
| IBM InfoSphere Information 11.7 Server does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. | ||||
| CVE-2023-4320 | 1 Redhat | 4 Satellite, Satellite Capsule, Satellite Maintenance and 1 more | 2025-08-30 | 7.6 High |
| An arithmetic overflow flaw was found in Satellite when creating a new personal access token. This flaw allows an attacker who uses this arithmetic overflow to create personal access tokens that are valid indefinitely, resulting in damage to the system's integrity. | ||||
| CVE-2024-43685 | 1 Microchip | 2 Timeprovider 4100, Timeprovider 4100 Firmware | 2025-08-30 | 9.8 Critical |
| Improper Authentication vulnerability in Microchip TimeProvider 4100 (login modules) allows Session Hijacking.This issue affects TimeProvider 4100: from 1.0 before 2.4.7. | ||||
| CVE-2022-2064 | 1 Nocodb | 1 Nocodb | 2025-08-26 | 8.8 High |
| Insufficient Session Expiration in GitHub repository nocodb/nocodb prior to 0.91.7+. | ||||
| CVE-2025-46815 | 1 Zitadel | 1 Zitadel | 2025-08-26 | 8 High |
| The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a predefined URI. These id and token can then be used to authenticate the user or their session. However, prior to versions 3.0.0, 2.71.9, and 2.70.10, it was possible to exploit this feature by repeatedly using intents. This allowed an attacker with access to the application’s URI to retrieve the id and token, enabling them to authenticate on behalf of the user. It's important to note that the use of additional factors (MFA) prevents a complete authentication process and, consequently, access to the ZITADEL API. Versions 3.0.0, 2.71.9, and 2.70.10 contain a fix for the issue. No known workarounds other than upgrading are available. | ||||
| CVE-2025-33005 | 1 Ibm | 1 Planning Analytics Local | 2025-08-26 | 6.3 Medium |
| IBM Planning Analytics Local 2.0 and 2.1 does not invalidate session after a logout which could allow an authenticated user to impersonate another user on the system. | ||||
| CVE-2025-2596 | 1 Checkmk | 1 Checkmk | 2025-08-25 | 5.3 Medium |
| Session logout could be overwritten in Checkmk GmbH's Checkmk versions <2.3.0p30, <2.2.0p41, and 2.1.0p49 (EOL) | ||||
| CVE-2025-25019 | 1 Ibm | 2 Cloud Pak For Security, Qradar Suite | 2025-08-24 | 4.8 Medium |
| IBM QRadar Suite Software 1.10.12.0 through 1.11.2.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 does not invalidate session after a logout which could allow a user to impersonate another user on the system. | ||||
| CVE-2025-40566 | 1 Siemens | 1 Simatic Pcs Neo | 2025-08-22 | 8.8 High |
| A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions < V4.1 Update 3), SIMATIC PCS neo V5.0 (All versions < V5.0 Update 1). Affected products do not correctly invalidate user sessions upon user logout. This could allow a remote unauthenticated attacker, who has obtained the session token by other means, to re-use a legitimate user's session even after logout. | ||||
| CVE-2025-53642 | 2 Haxtheweb, Psu | 4 Haxcms-nodejs, Haxcms-php, Haxcms-nodejs and 1 more | 2025-08-22 | 4.8 Medium |
| haxcms-nodejs and haxcms-php are backends for HAXcms. The logout function within the application does not terminate a user's session or clear their cookies. Additionally, the application issues a refresh token when logging out. This vulnerability is fixed in 11.0.6. | ||||
| CVE-2024-32006 | 1 Siemens | 1 Sinema Remote Connect Client | 2025-08-20 | 4.3 Medium |
| A vulnerability has been identified in SINEMA Remote Connect Client (All versions < V3.2 SP2). The affected application does not expire the user session on reboot without logout. This could allow an attacker to bypass Multi-Factor Authentication. | ||||
| CVE-2024-41985 | 1 Siemens | 3 Smartclient Modules, Soa Audit, Soa Cockpit | 2025-08-12 | 2.6 Low |
| A vulnerability has been identified in SmartClient modules Opcenter QL Home (SC) (All versions >= V13.2 < V2506), SOA Audit (All versions >= V13.2 < V2506), SOA Cockpit (All versions >= V13.2 < V2506). The affected application does not expire the session without logout. This could allow an attacker to get unauthorized access if the session is left idle. | ||||
| CVE-2025-50484 | 1 Phpgurukul | 1 Small Crm | 2025-08-07 | 7.1 High |
| Improper session invalidation in the component /crm/change-password.php of PHPGurukul Small CRM v3.0 allows attackers to execute a session hijacking attack. | ||||