6 matches found
SillyTavern: Existing sessions are not invalidated after password change, allowing session reuse and account takeover
Summary Changing a user’s password does not invalidate existing sessions, allowing an attacker with a stolen cookie to retain access even after the victim resets their password. Details SillyTavern relies on cookie-session for authentication, storing all session data user handle, permissions in a...
EUVD-2025-37392
Summer Pearl Group Vacation Rental Management Platform prior to v1.0.2 does not properly invalidate active user sessions after a password change. This allows an attacker with a valid session token to maintain access to the account even after the legitimate user changes their password...
CVE-2024-13996
Nagios XI versions prior to 2024R1.1.3 did not invalidate all other active sessions for a user when that user's password was changed. As a result, any pre-existing sessions including those potentially controlled by an attacker remained valid after a credential update. This insufficient session...
Linux Distros Unpatched Vulnerability : CVE-2022-2031
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was found in Samba. The security vulnerability occurs when KDC and the kpasswd service share a single account and set of keys, allowing them to decrypt...
CVE-2020-23686
Cross site request forgery CSRF vulnerability in AyaCMS 3.1.2 allows attackers to change an administrators password or other unspecified impacts...
CVE-2017-8848
Allen Disk 1.6 has CSRF in setpass.php with an impact of changing a password...