31 matches found
GHSA-6J8J-4QP3-36P2 Weblate Doesn't Invalidate API Token on Password Change
Impact When a user changes their password, browser sessions are correctly invalidated via cyclesessionkeys, but DRF API tokens wlu prefix stored in authtokentoken are not revoked. Patches https://github.com/WeblateOrg/weblate/pull/19057 Resources Weblate thanks Sang Yu Jeon for reporting this via...
PT-2026-34541
Beghelli Sicuro24 SicuroWeb does not enforce a Content Security Policy, allowing unrestricted loading of external JavaScript resources from attacker-controlled origins. When chained with the template injection and sandbox escape vulnerabilities present in the same application, the absence of CSP...
CVE-2026-35653 OpenClaw < 2026.3.24 - Incorrect Authorization in POST /reset-profile via browser.request
OpenClaw before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profile endpoint that allows authenticated callers with operator.write access to browser.request to bypass profile mutation restrictions. Attackers can invoke POST /reset-profile through the...
CVE-2022-50951
WiFi File Transfer 1.0.8 has a persistent cross-site scripting (XSS) vulnerability via the web server input validation. Attackers can inject malicious scripts through file or folder names, leading to arbitrary JavaScript execution when users preview infected file paths and potentially compromisin...
PT-2026-5572
WiFi File Transfer 1.0.8 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through file and folder names. Attackers can exploit the web server's input validation weakness to execute arbitrary JavaScript when users preview infect...
CVE-2025-10556
A stored Cross-site Scripting XSS vulnerability affecting Specification Management in ENOVIA Specification Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session...
EUVD-2002-0824
Malware in sbrugna...
EUVD-2019-15222
Malware in sbrugna...
Dassault Systèmes ENOVIA Collaborative Industry Innovator 安全漏洞
Dassault Systèmes ENOVIA Collaborative Industry Innovator is an essential toolset for real-time, secure and structured collaboration and product content management for an engineering team at Dassault Systèmes France. A security vulnerability exists in Dassault Systèmes ENOVIA Collaborative Indust...
CVE-2024-5549
A CORS misconfiguration in the stitionai/devika repository allows attackers to steal sensitive information such as logs, browser sessions, and settings containing private API keys from other services. This vulnerability also enables attackers to perform actions on behalf of the user, such as...
WooCommerce Security Breach
WooCommerce is an open source e-commerce platform built on WordPress by WooCommerce, Inc. A security vulnerability exists in WooCommerce version 8.8, which stems from vulnerability to cross-site scripting attacks that may allow an attacker to hijack content, data, and sessions stored in the brows...
New MrAnon Stealer Malware Targeting German Users via Booking-Themed Scam
A phishing campaign has been observed delivering an information stealer malware called MrAnon Stealer to unsuspecting victims via seemingly benign booking-themed PDF lures. "This malware is a Python-based information stealer compressed with cx-Freeze to evade detection," Fortinet FortiGuard Labs...
Decoding MrAnon Stealer’s Plot through Deceptive Emails
Summary: A phishing email campaign employs misleading booking details to lure victims, aiming to deploy a Python-based information stealer known as MrAnon Stealer. This malicious software is designed to pilfer victims credentials, system details, browser sessions, and cryptocurrency extensions...
Improper Authentication in Mortbay Jetty
Mortbay Jetty before 6.1.6rc1 does not properly handle "certain quote sequences" in HTML cookie parameters, which allows remote attackers to hijack browser sessions via unspecified vectors...
Laravel Booking System Booking Core 代码问题漏洞
A code issue vulnerability exists in Laravel Booking System Booking Core, a reservation system, which originates from sandbox.bookingcore.org/user/profile/change- password does not invalidate a session opened in a different browser. No details of the vulnerability are currently available...
Session Fixation in alovoa/alovoa
Description On changing password both session using which user changes password and old sessions in any other browser or device does not expire and remains active. Proof of Concept STEPS TO REPRODUCE: 1. Log in to Browser A and make sure to check 'stay logged in to this device' checkbox while...
CVE-2019-5647
The Chrome Plugin for Rapid7 AppSpider can incorrectly keep browser sessions active after recording a macro, even after a restart of the Chrome browser. This behavior could make future session hijacking attempts easier, since the user could believe a session was closed when it was not. This issue...
CVE-2007-5614
Mortbay Jetty before 6.1.6rc1 does not properly handle "certain quote sequences" in HTML cookie parameters, which allows remote attackers to hijack browser sessions via unspecified vectors...
Session Hijacking
Keycloak is vulnerable to session hijacking attacks. This allows the end user token access or id token JWT to be used as the session cookie for browser sessions for OIDC. An attacker could leverage this issue to gain unauthorized access to the affected application...
keycloak: session hijack using the user access token
Keycloak up to version 6.0.0 allows the end user token access or id token JWT to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user’s browser session...