Lucene search
K

257 matches found

Positive Technologies
Positive Technologies
added 2023/03/23 12:0 a.m.9 views

PT-2023-21726 · Directus · Directus

Name of the Vulnerable Software and Affected Versions: Directus versions prior to 9.23.3 Description: The issue concerns the improper redaction of the directus refresh token from log outputs, allowing it to be used to impersonate users without their permission. This can lead to issues with...

5.5CVSS5.2AI score0.00312EPSS
Exploits1References8
CNNVD
CNNVD
added 2023/03/23 12:0 a.m.3 views

Directus 日志信息泄露漏洞

Directus is a real-time Api and application dashboard. It is used to manage Sql database content. A security vulnerability exists in Directus versions prior to 9.23.3, which stems from directusrefreshtoken not being properly edited from log output, and can be used to impersonate a user without...

5.5CVSS5.6AI score0.00312EPSS
Exploits1References5
NVD
NVD
added 2023/03/04 12:15 a.m.32 views

CVE-2023-23929

vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Currently, the refresh token is valid indefinitely. The refresh token should get a validity of 24-48 hours. A fix was released in version 3.8.0...

8.8CVSS8.7AI score0.00571EPSS
Exploits0References2
PyPA
PyPA
added 2023/03/04 12:15 a.m.6 views

PYSEC-2023-54

vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Currently, the refresh token is valid indefinitely. The refresh token should get a validity of 24-48 hours. A fix was released in version 3.8.0...

8.8CVSS6.9AI score0.00571EPSS
Exploits0References2Affected Software1
Prion
Prion
added 2023/03/04 12:15 a.m.14 views

Design/Logic Flaw

vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Currently, the refresh token is valid indefinitely. The refresh token should get a validity of 24-48 hours. A fix was released in version 3.8.0...

6.5CVSS8.7AI score0.00571EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2023/03/04 12:15 a.m.40 views

PYSEC-2023-54

vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Currently, the refresh token is valid indefinitely. The refresh token should get a validity of 24-48 hours. A fix was released in version 3.8.0...

8.8CVSS8.9AI score0.00571EPSS
Exploits0References2
Cvelist
Cvelist
added 2023/03/03 11:37 p.m.34 views

CVE-2023-23929 Refresh tokens do not expire in Vantage6

vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Currently, the refresh token is valid indefinitely. The refresh token should get a validity of 24-48 hours. A fix was released in version 3.8.0...

8.8CVSS8.9AI score0.00571EPSS
Exploits0References2
OSV
OSV
added 2023/03/03 11:37 p.m.23 views

CVE-2023-23929 Refresh tokens do not expire in Vantage6

vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Currently, the refresh token is valid indefinitely. The refresh token should get a validity of 24-48 hours. A fix was released in version 3.8.0...

8.8CVSS8.6AI score0.00571EPSS
Exploits0References4
Veracode
Veracode
added 2023/03/02 4:46 p.m.17 views

Insufficient Session Expiration

vantage6 is vulnerable to Insufficient Session Expiration. An attacker is able to reuse old session credentials or session IDs for authorization because the refresh token is indefinitely valid...

8.8CVSS8.4AI score0.00571EPSS
Exploits0References4Affected Software3
RedHat Linux
RedHat Linux
added 2023/03/01 9:45 p.m.4 views

keycloak: Session takeover with OIDC offline refreshtokens

A flaw was found in the offlineaccess scope in Keycloak. This issue would affect users of shared computers more especially if cookies are not cleared, due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to...

6.8CVSS6.3AI score0.00952EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2023/02/28 11:20 p.m.30 views

vantage6 refresh tokens do not expire

From issue: Problem description Currently, the refresh token is valid indefinitely. This is bad security practice. Desired solution The refresh token should get a validity of 24-48 hours. Additional context When implementing this, also check that the refresh token returns a new refresh token When...

8.8CVSS8.3AI score0.00571EPSS
Exploits0References5Affected Software1
Positive Technologies
Positive Technologies
added 2023/02/28 12:0 a.m.5 views

PT-2023-19303 · Vantage6 · Vantage6

Name of the Vulnerable Software and Affected Versions: vantage6 versions prior to 3.8.0 Description: The issue concerns the refresh token in vantage6, a privacy-preserving federated learning infrastructure, which is currently valid indefinitely. This is considered bad security practice. The refre...

8.8CVSS8.5AI score0.00571EPSS
Exploits0References9
Hacker One
Hacker One
added 2023/02/14 5:34 p.m.63 views

Bitwarden: Biometric key is stored in Windows Credential Manager, accessible to other local unprivileged processes

A vulnerability in Bitwarden Desktop for Windows allowed a local attacker to access the biometric master key used for unlocking the vault through Windows Hello. The key was stored in plaintext in the Windows Credential Manager, accessible to any local unprivileged process. This allowed an attacke...

7.1CVSS6.8AI score0.00585EPSS
Exploits1
NVD
NVD
added 2023/02/11 1:23 a.m.16 views

CVE-2022-34392

SupportAssist for Home PCs versions 3.11.4 and prior contain an insufficient session expiration Vulnerability. An authenticated non-admin user can be able to obtain the refresh token and that leads to reuse the access token and fetch sensitive information...

5.5CVSS5.3AI score0.00164EPSS
Exploits0References1
OSV
OSV
added 2023/02/11 1:23 a.m.3 views

CVE-2022-34392

SupportAssist for Home PCs versions 3.11.4 and prior contain an insufficient session expiration Vulnerability. An authenticated non-admin user can be able to obtain the refresh token and that leads to reuse the access token and fetch sensitive information...

5.5CVSS5.7AI score
Exploits0References1
Prion
Prion
added 2023/02/11 1:23 a.m.19 views

Session fixation

SupportAssist for Home PCs versions 3.11.4 and prior contain an insufficient session expiration Vulnerability. An authenticated non-admin user can be able to obtain the refresh token and that leads to reuse the access token and fetch sensitive information...

1.7CVSS5.4AI score0.00164EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2023/02/10 8:26 p.m.31 views

CVE-2022-34392

SupportAssist for Home PCs versions 3.11.4 and prior contain an insufficient session expiration Vulnerability. An authenticated non-admin user can be able to obtain the refresh token and that leads to reuse the access token and fetch sensitive information...

5.5CVSS5.6AI score0.00164EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2023/01/11 12:0 a.m.7 views

PT-2023-18543 · Zitadel · Zitadel

Name of the Vulnerable Software and Affected Versions: ZITADEL versions prior to 2.16.4 ZITADEL versions prior to 2.17.3 Description: ZITADEL is a combination of Auth0 and Keycloak. RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user's...

5.9CVSS5.6AI score0.00599EPSS
Exploits0References10
RedHat Linux
RedHat Linux
added 2022/12/13 2:3 p.m.21 views

keycloak: Session takeover with OIDC offline refreshtokens

A flaw was found in the offlineaccess scope in Keycloak. This issue would affect users of shared computers more especially if cookies are not cleared, due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to...

6.8CVSS6.3AI score0.00952EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2022/11/09 6:25 p.m.41 views

CVE-2022-3916

A flaw was found in the offlineaccess scope in Keycloak. This issue would affect users of shared computers more especially if cookies are not cleared, due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to...

6.8CVSS3.4AI score0.00952EPSS
Exploits0References3
Rows per page
Query Builder