Lucene search
K

1616 matches found

Positive Technologies
Positive Technologies
added 2023/03/28 12:0 a.m.6 views

PT-2023-17693 · Cloud Foundry · Cloud Foundry Uaa

Name of the Vulnerable Software and Affected Versions: Cloud Foundry UAA affected versions not specified Description: The issue is related to UAA refresh tokens and external identity providers. When an external identity provider linked to the UAA is deactivated, the UAA fails to reject refresh...

4.3CVSS4.2AI score0.00404EPSS
Exploits0References3
CVE
CVE
added 2023/03/28 12:0 a.m.86 views

CVE-2023-20903

Summary (CVE-2023-20903) : Cloud Foundry UAA does not revoke refresh tokens when an external identity provider (IDP) is deactivated. As a result, clients issued refresh tokens on behalf of users from that IDP can continue to obtain access tokens and access Cloud Foundry resources until those toke...

4.3CVSS4.5AI score0.00404EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2023/03/24 12:15 a.m.18 views

CVE-2023-28443

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the directusrefreshtoken is not redacted properly from the log outputs and can be used to impersonate users without their permission. This issue is patched in version 9.23.3...

5.5CVSS5AI score0.00312EPSS
Exploits1References3
OSV
OSV
added 2023/03/23 7:47 p.m.37 views

GHSA-8VG2-WF3Q-MWV7 directus vulnerable to Insertion of Sensitive Information into Log File

Summary CWE-532: Insertion of Sensitive Information into Log File discovered in v9.23.1. The directusrefreshtoken is not redacted properly from the log outputs and can be used to impersonate users without their permission. Details Using v9.23.1, I am seeing that the directusrefreshtoken is not...

4.2CVSS4.8AI score0.00312EPSS
Exploits1References5
CNNVD
CNNVD
added 2023/03/23 12:0 a.m.2 views

Directus 日志信息泄露漏洞

Directus is a real-time Api and application dashboard. It is used to manage Sql database content. A security vulnerability exists in Directus versions prior to 9.23.3, which stems from directusrefreshtoken not being properly edited from log output, and can be used to impersonate a user without...

5.5CVSS5.6AI score0.00312EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 2023/03/23 12:0 a.m.8 views

PT-2023-21726 · Directus · Directus

Name of the Vulnerable Software and Affected Versions: Directus versions prior to 9.23.3 Description: The issue concerns the improper redaction of the directus refresh token from log outputs, allowing it to be used to impersonate users without their permission. This can lead to issues with...

5.5CVSS5.2AI score0.00312EPSS
Exploits1References8
Patchstack
Patchstack
added 2023/03/20 12:0 a.m.9 views

WordPress Read More Without Refresh Plugin <= 3.1 is vulnerable to Cross Site Scripting (XSS)

Software Read More Without Refresh Type Plugin Vulnerable versions = 3.1 Fixed in 3.2 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-23793 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 1bf9aee89c13 Credits Mika Required...

5.9CVSS5.8AI score0.00392EPSS
Exploits0References2Affected Software1
NVD
NVD
added 2023/03/04 12:15 a.m.31 views

CVE-2023-23929

vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Currently, the refresh token is valid indefinitely. The refresh token should get a validity of 24-48 hours. A fix was released in version 3.8.0...

8.8CVSS8.7AI score0.00571EPSS
Exploits0References2
OSV
OSV
added 2023/03/04 12:15 a.m.39 views

PYSEC-2023-54

vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Currently, the refresh token is valid indefinitely. The refresh token should get a validity of 24-48 hours. A fix was released in version 3.8.0...

8.8CVSS8.9AI score0.00571EPSS
Exploits0References2
Prion
Prion
added 2023/03/04 12:15 a.m.14 views

Design/Logic Flaw

vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Currently, the refresh token is valid indefinitely. The refresh token should get a validity of 24-48 hours. A fix was released in version 3.8.0...

6.5CVSS8.7AI score0.00571EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2023/03/04 12:15 a.m.5 views

PYSEC-2023-54

vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Currently, the refresh token is valid indefinitely. The refresh token should get a validity of 24-48 hours. A fix was released in version 3.8.0...

8.8CVSS6.9AI score0.00571EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2023/03/03 11:37 p.m.33 views

CVE-2023-23929 Refresh tokens do not expire in Vantage6

vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Currently, the refresh token is valid indefinitely. The refresh token should get a validity of 24-48 hours. A fix was released in version 3.8.0...

8.8CVSS8.9AI score0.00571EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2023/03/03 11:37 p.m.8 views

CVE-2023-23929 Refresh tokens do not expire in Vantage6

vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Currently, the refresh token is valid indefinitely. The refresh token should get a validity of 24-48 hours. A fix was released in version 3.8.0...

8.8CVSS8.7AI score0.00571EPSS
Exploits0References2
OSV
OSV
added 2023/03/03 11:37 p.m.21 views

CVE-2023-23929 Refresh tokens do not expire in Vantage6

vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Currently, the refresh token is valid indefinitely. The refresh token should get a validity of 24-48 hours. A fix was released in version 3.8.0...

8.8CVSS8.6AI score0.00571EPSS
Exploits0References4
Veracode
Veracode
added 2023/03/02 4:46 p.m.16 views

Insufficient Session Expiration

vantage6 is vulnerable to Insufficient Session Expiration. An attacker is able to reuse old session credentials or session IDs for authorization because the refresh token is indefinitely valid...

8.8CVSS8.4AI score0.00571EPSS
Exploits0References4Affected Software3
RedHat Linux
RedHat Linux
added 2023/03/01 9:58 p.m.6 views

keycloak: Session takeover with OIDC offline refreshtokens

A flaw was found in the offlineaccess scope in Keycloak. This issue would affect users of shared computers more especially if cookies are not cleared, due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to...

6.8CVSS6.3AI score0.00952EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2023/03/01 9:45 p.m.4 views

keycloak: Session takeover with OIDC offline refreshtokens

A flaw was found in the offlineaccess scope in Keycloak. This issue would affect users of shared computers more especially if cookies are not cleared, due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to...

6.8CVSS6.3AI score0.00952EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2023/03/01 9:45 p.m.4 views

keycloak: Session takeover with OIDC offline refreshtokens

A flaw was found in the offlineaccess scope in Keycloak. This issue would affect users of shared computers more especially if cookies are not cleared, due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to...

6.8CVSS6.3AI score0.00952EPSS
Exploits0References4
OSV
OSV
added 2023/02/28 11:20 p.m.23 views

GHSA-4W59-C3GC-RRHP vantage6 refresh tokens do not expire

From issue: Problem description Currently, the refresh token is valid indefinitely. This is bad security practice. Desired solution The refresh token should get a validity of 24-48 hours. Additional context When implementing this, also check that the refresh token returns a new refresh token When...

8.8CVSS8.6AI score0.00571EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2023/02/28 11:20 p.m.30 views

vantage6 refresh tokens do not expire

From issue: Problem description Currently, the refresh token is valid indefinitely. This is bad security practice. Desired solution The refresh token should get a validity of 24-48 hours. Additional context When implementing this, also check that the refresh token returns a new refresh token When...

8.8CVSS8.3AI score0.00571EPSS
Exploits0References5Affected Software1
Rows per page
Query Builder