129 matches found
Session Fixation
org.keycloak:keycloak-services is vulnerable to Session Fixation. The vulnerability is due to the session ID and JSESSIONID cookie not being changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured, allowing an attacker to hijack the session before authentication...
GHSA-5RXP-2RHR-QWQV Keycloak has session fixation in Elytron SAML adapters
A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authenticati...
GHSA-J76J-RQWJ-JMVV Duplicate Advisory: Keycloak Session Fixation vulnerability
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-5rxp-2rhr-qwqv. This link is maintained to preserve external references. Original Description A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cook...
wildfly-elytron: org.keycloak/keycloak-services: session fixation in elytron saml adapters
A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authenticati...
wildfly-elytron: org.keycloak/keycloak-services: session fixation in elytron saml adapters
A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authenticati...
PT-2024-38275 · Red Hat · Keycloak Saml Adapters +1
Name of the Vulnerable Software and Affected Versions: Keycloak SAML adapters affected versions not specified Description: A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the...
udn News Information Disclosure Vulnerability
udn News is a news application from China United News udn Inc. An information disclosure vulnerability exists in udn News versions prior to 4.20.1, which stems from storing a user's session in a logcat file during user login, which can be retrieved by a malicious attacker who can use it to log in...
Design/Logic Flaw
A vulnerability has been identified in QMS Automotive All versions V12.39. The affected application returns inconsistent error messages in response to invalid user credentials during login session. This allows an attacker to enumerate usernames, and identify valid usernames...
UBUNTU-CVE-2023-39968
jupyter-server is the backend for Jupyter web applications. Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URL...
RLSA-2023:4569 Moderate: dbus security update
D-Bus is a system for sending messages between applications. It is used both for the system-wide message bus service, and as a per-user-login-session messaging facility. Security Fixes: dbus: dbus-daemon: assertion failure when a monitor is active and a message from the driver cannot be delivered...
CVE-2023-37946
Jenkins OpenShift Login Plugin 1.1.0.227.v27e08dfb1a20 and earlier does not invalidate the previous session on login...
[SECURITY] Fedora 38 Update: mingw-dbus-1.14.8-1.fc38
D-BUS is a system for sending messages between applications. It is used both for the system wide message bus service, and as a per-user-login-session messaging facility...
Fedora: Security Advisory for dbus (FEDORA-2023-c95d3f825f)
The remote host is missing an update for the SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Jenkins WSO2 Oauth Plugin 代码问题漏洞
Jenkins and Jenkins Plugin are both Jenkins open source products.Jenkins is a software application . An open source automation server Jenkins provides hundreds of plugins to support building, deploying, and automating any project.Jenkins Plugin is a software application. A security vulnerability...
OpenProject 代码问题漏洞
OpenProject is an open source Web-based project management software . The software features project planning, task management, bug tracking and cost budgeting. A code issue vulnerability exists in OpenProject versions 7.4.0 through 12.5.4 that stems from an existing login session for a user accou...
Fortinet FortiOS 安全漏洞
Fortinet FortiOS is a set of security operating system dedicated to FortiGate network security platform from American Fita Fortinet. The system provides users with a variety of security features such as firewall, antivirus, IPSec/SSLVPN, Web content filtering and anti-spam. A security vulnerabili...
DEBIAN-CVE-2022-24895
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enable...
Design/Logic Flaw
Jenkins Bitbucket OAuth Plugin 0.12 and earlier does not invalidate the previous session on login...
Jenkins Plugin OpenID 安全漏洞
Jenkins and Jenkins Plugin are both Jenkins open source products.Jenkins is a software application . An open source automation server Jenkins provides hundreds of plugins to support building, deploying, and automating any project.Jenkins Plugin is a software application. A security vulnerability...
CVE-2023-24426
Jenkins Azure AD Plugin 303.va91ef20ee49f and earlier does not invalidate the previous session on login...