ReportizFlow
Filtered by vendor
Subscriptions
Total
373 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-22771 | 1 Arubanetworks | 24 7010, 7030, 7205 and 21 more | 2025-03-07 | 6.8 Medium |
| An insufficient session expiration vulnerability exists in the ArubaOS command line interface. Successful exploitation of this vulnerability allows an attacker to keep a session running on an affected device after the removal of the impacted account | ||||
| CVE-2023-27891 | 1 Rami | 1 Pretix | 2025-03-06 | 7.5 High |
| rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. The fixed versions are 4.15.1, 4.16.1, and 4.17.1. | ||||
| CVE-2023-40732 | 1 Siemens | 1 Qms Automotive | 2025-02-27 | 3.9 Low |
| A vulnerability has been identified in QMS Automotive (All versions < V12.39). The QMS.Mobile module of the affected application does not invalidate the session token on logout. This could allow an attacker to perform session hijacking attacks. | ||||
| CVE-2023-22591 | 1 Ibm | 2 Robotic Process Automation, Robotic Process Automation As A Service | 2025-02-26 | 3.9 Low |
| IBM Robotic Process Automation 21.0.1 through 21.0.7 and 23.0.0 through 23.0.1 could allow a user with physical access to the system due to session tokens for not being invalidated after a password reset. IBM X-Force ID: 243710. | ||||
| CVE-2023-1543 | 1 Answer | 1 Answer | 2025-02-26 | 8.8 High |
| Insufficient Session Expiration in GitHub repository answerdev/answer prior to 1.0.6. | ||||
| CVE-2023-23929 | 1 Vantage6 | 1 Vantage6 | 2025-02-25 | 8.8 High |
| vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Currently, the refresh token is valid indefinitely. The refresh token should get a validity of 24-48 hours. A fix was released in version 3.8.0. | ||||
| CVE-2025-24896 | 1 Misskey | 1 Misskey | 2025-02-20 | 8.1 High |
| Misskey is an open source, federated social media platform. Starting in version 12.109.0 and prior to version 2025.2.0-alpha.0, a login token named `token` is stored in a cookie for authentication purposes in Bull Dashboard, but this remains undeleted even after logout is performed. The primary affected users will be users who have logged into Misskey using a public PC or someone else's device, but it's possible that users who have logged out of Misskey before lending their PC to someone else could also be affected. Version 2025.2.0-alpha.0 contains a fix for this issue. | ||||
| CVE-2021-3844 | 1 Rapid7 | 1 Insightvm | 2025-02-19 | 5.7 Medium |
| Rapid7 InsightVM suffers from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user account's current session is still valid after the password change, potentially allowing the attacker who originally compromised the credential to remain logged in and able to cause further damage. This vulnerability is mitigated by the use of the Platform Login feature. This issue is related to CVE-2019-5638. | ||||
| CVE-2023-20903 | 1 Cloudfoundry | 1 User Account And Authentication | 2025-02-19 | 4.3 Medium |
| This disclosure regards a vulnerability related to UAA refresh tokens and external identity providers.Assuming that an external identity provider is linked to the UAA, a refresh token is issued to a client on behalf of a user from that identity provider, the administrator of the UAA deactivates the identity provider from the UAA. It is expected that the UAA would reject a refresh token during a refresh token grant, but it does not (hence the vulnerability). It will continue to issue access tokens to request presenting such refresh tokens, as if the identity provider was still active. As a result, clients with refresh tokens issued through the deactivated identity provider would still have access to Cloud Foundry resources until their refresh token expires (which defaults to 30 days). | ||||
| CVE-2024-57056 | 2025-02-19 | 5.4 Medium | ||
| Incorrect cookie session handling in WombatDialer before 25.02 results in the full session identity being written to system logs and could be used by a malicious attacker to impersonate an existing user session. | ||||
| CVE-2024-22403 | 1 Nextcloud | 1 Nextcloud Server | 2025-02-13 | 3 Low |
| Nextcloud server is a self hosted personal cloud system. In affected versions OAuth codes did not expire. When an attacker would get access to an authorization code they could authenticate at any time using the code. As of version 28.0.0 OAuth codes are invalidated after 10 minutes and will no longer be authenticated. To exploit this vulnerability an attacker would need to intercept an OAuth code from a user session. It is recommended that the Nextcloud Server is upgraded to 28.0.0. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-35050 | 1 Surveyking | 1 Surveyking | 2025-02-13 | 8.8 High |
| An issue in SurveyKing v1.3.1 allows attackers to escalate privileges via re-using the session ID of a user that was deleted by an Admin. | ||||
| CVE-2024-35049 | 1 Surveyking | 1 Surveyking | 2025-02-13 | 9.1 Critical |
| SurveyKing v1.3.1 was discovered to keep users' sessions active after logout. Related to an incomplete fix for CVE-2022-25590. | ||||
| CVE-2024-35048 | 1 Javahuang | 1 Surveyking | 2025-02-13 | 4.3 Medium |
| An issue in SurveyKing v1.3.1 allows attackers to execute a session replay attack after a user changes their password. | ||||
| CVE-2025-1198 | 1 Gitlab | 1 Gitlab | 2025-02-13 | 4.2 Medium |
| An issue discovered in GitLab CE/EE affecting all versions from 16.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 meant that long-lived connections in ActionCable potentially allowed revoked Personal Access Tokens access to streaming results. | ||||
| CVE-2025-24973 | 2025-02-11 | 9.4 Critical | ||
| Concorde, formerly know as Nexkey, is a fork of the federated microblogging platform Misskey. Prior to version 12.25Q1.1, due to an improper implementation of the logout process, authentication credentials remain in cookies even after a user has explicitly logged out, which may allow an attacker to steal authentication tokens. This could have devastating consequences if a user with admin privileges is (or was) using a shared device. Users who have logged in on a shared device should go to Settings > Security and regenerate their login tokens. Version 12.25Q1.1 fixes the issue. As a workaround, clear cookies and site data in the browser after logging out. | ||||
| CVE-2024-45386 | 2025-02-11 | 8.8 High | ||
| A vulnerability has been identified in SIMATIC PCS neo V4.0 (All versions), SIMATIC PCS neo V4.1 (All versions < V4.1 Update 2), SIMATIC PCS neo V5.0 (All versions < V5.0 Update 1), SIMOCODE ES V19 (All versions < V19 Update 1), SIRIUS Safety ES V19 (TIA Portal) (All versions < V19 Update 1), SIRIUS Soft Starter ES V19 (TIA Portal) (All versions < V19 Update 1), TIA Administrator (All versions < V3.0.4). Affected products do not correctly invalidate user sessions upon user logout. This could allow a remote unauthenticated attacker, who has obtained the session token by other means, to re-use a legitimate user's session even after logout. | ||||
| CVE-2024-35206 | 1 Siemens | 1 Sinec Traffic Analyzer | 2025-02-11 | 7.7 High |
| A vulnerability has been identified in SINEC Traffic Analyzer (6GK8822-1BG01-0BA0) (All versions < V1.2). The affected application does not expire the session. This could allow an attacker to get unauthorized access. | ||||
| CVE-2023-1788 | 1 Firefly-iii | 1 Firefly Iii | 2025-02-10 | 9.8 Critical |
| Insufficient Session Expiration in GitHub repository firefly-iii/firefly-iii prior to 6. | ||||
| CVE-2022-37186 | 1 Lemonldap-ng | 1 Lemonldap\ | 2025-02-06 | 5.9 Medium |
| In LemonLDAP::NG before 2.0.15. some sessions are not deleted when they are supposed to be deleted according to the timeoutActivity setting. This can occur when there are at least two servers, and a session is manually removed before the time at which it would have been removed automatically. | ||||