1616 matches found
PT-2023-17693 · Cloud Foundry · Cloud Foundry Uaa
Name of the Vulnerable Software and Affected Versions: Cloud Foundry UAA affected versions not specified Description: The issue is related to UAA refresh tokens and external identity providers. When an external identity provider linked to the UAA is deactivated, the UAA fails to reject refresh...
CVE-2023-20903
Summary (CVE-2023-20903) : Cloud Foundry UAA does not revoke refresh tokens when an external identity provider (IDP) is deactivated. As a result, clients issued refresh tokens on behalf of users from that IDP can continue to obtain access tokens and access Cloud Foundry resources until those toke...
CVE-2023-28443
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the directusrefreshtoken is not redacted properly from the log outputs and can be used to impersonate users without their permission. This issue is patched in version 9.23.3...
GHSA-8VG2-WF3Q-MWV7 directus vulnerable to Insertion of Sensitive Information into Log File
Summary CWE-532: Insertion of Sensitive Information into Log File discovered in v9.23.1. The directusrefreshtoken is not redacted properly from the log outputs and can be used to impersonate users without their permission. Details Using v9.23.1, I am seeing that the directusrefreshtoken is not...
Directus 日志信息泄露漏洞
Directus is a real-time Api and application dashboard. It is used to manage Sql database content. A security vulnerability exists in Directus versions prior to 9.23.3, which stems from directusrefreshtoken not being properly edited from log output, and can be used to impersonate a user without...
PT-2023-21726 · Directus · Directus
Name of the Vulnerable Software and Affected Versions: Directus versions prior to 9.23.3 Description: The issue concerns the improper redaction of the directus refresh token from log outputs, allowing it to be used to impersonate users without their permission. This can lead to issues with...
WordPress Read More Without Refresh Plugin <= 3.1 is vulnerable to Cross Site Scripting (XSS)
Software Read More Without Refresh Type Plugin Vulnerable versions = 3.1 Fixed in 3.2 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-23793 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 1bf9aee89c13 Credits Mika Required...
CVE-2023-23929
vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Currently, the refresh token is valid indefinitely. The refresh token should get a validity of 24-48 hours. A fix was released in version 3.8.0...
PYSEC-2023-54
vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Currently, the refresh token is valid indefinitely. The refresh token should get a validity of 24-48 hours. A fix was released in version 3.8.0...
Design/Logic Flaw
vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Currently, the refresh token is valid indefinitely. The refresh token should get a validity of 24-48 hours. A fix was released in version 3.8.0...
PYSEC-2023-54
vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Currently, the refresh token is valid indefinitely. The refresh token should get a validity of 24-48 hours. A fix was released in version 3.8.0...
CVE-2023-23929 Refresh tokens do not expire in Vantage6
vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Currently, the refresh token is valid indefinitely. The refresh token should get a validity of 24-48 hours. A fix was released in version 3.8.0...
CVE-2023-23929 Refresh tokens do not expire in Vantage6
vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Currently, the refresh token is valid indefinitely. The refresh token should get a validity of 24-48 hours. A fix was released in version 3.8.0...
CVE-2023-23929 Refresh tokens do not expire in Vantage6
vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Currently, the refresh token is valid indefinitely. The refresh token should get a validity of 24-48 hours. A fix was released in version 3.8.0...
Insufficient Session Expiration
vantage6 is vulnerable to Insufficient Session Expiration. An attacker is able to reuse old session credentials or session IDs for authorization because the refresh token is indefinitely valid...
keycloak: Session takeover with OIDC offline refreshtokens
A flaw was found in the offlineaccess scope in Keycloak. This issue would affect users of shared computers more especially if cookies are not cleared, due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to...
keycloak: Session takeover with OIDC offline refreshtokens
A flaw was found in the offlineaccess scope in Keycloak. This issue would affect users of shared computers more especially if cookies are not cleared, due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to...
keycloak: Session takeover with OIDC offline refreshtokens
A flaw was found in the offlineaccess scope in Keycloak. This issue would affect users of shared computers more especially if cookies are not cleared, due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to...
GHSA-4W59-C3GC-RRHP vantage6 refresh tokens do not expire
From issue: Problem description Currently, the refresh token is valid indefinitely. This is bad security practice. Desired solution The refresh token should get a validity of 24-48 hours. Additional context When implementing this, also check that the refresh token returns a new refresh token When...
vantage6 refresh tokens do not expire
From issue: Problem description Currently, the refresh token is valid indefinitely. This is bad security practice. Desired solution The refresh token should get a validity of 24-48 hours. Additional context When implementing this, also check that the refresh token returns a new refresh token When...