39 matches found
GHSA-5V7G-9H8F-8PGG Parse Server session creation endpoint allows overwriting server-generated session fields
Impact An authenticated user can overwrite server-generated session fields sessionToken, expiresAt, createdWith when creating a session object via POST /classes/Session. This allows bypassing the server's session expiration policy by setting an arbitrary far-future expiration date. It also allows...
CVE-2026-30970 Session authentication bypass in Coral Server session creation endpoint
Coral Server is open collaboration infrastructure that enables communication, coordination, trust and payments for The Internet of Agents. Prior to 1.1.0, Coral Server allowed the creation of agent sessions through the /api/v1/sessions endpoint without strong authentication. This endpoint perform...
PT-2026-24341
Name of the Vulnerable Software and Affected Versions Coral Server versions prior to 1.1.0 Description Coral Server is an open collaboration infrastructure designed for communication, coordination, trust, and payments within The Internet of Agents. Before version 1.1.0, the software permitted the...
CVE-2025-52563
Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting XSS vulnerability due to insufficient sanitization of the page parameter in the session/adduserstosession.php endpoint. This issue has been patched in version 1.11.30...
CVE-2025-52563
Chamilo (LMS) is affected by a reflected XSS vulnerability in the session/add_users_to_session.php endpoint caused by insufficient sanitization of the page parameter. The issue exists before version 1.11.30 and is patched in v1.11.30. Evidence across sources (CVE-2025-52563) confirms the vulnerab...
CVE-2025-52563 Chamilo: Reflected XSS via page parameter
Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting XSS vulnerability due to insufficient sanitization of the page parameter in the session/adduserstosession.php endpoint. This issue has been patched in version 1.11.30...
EUVD-2025-208178
Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting XSS vulnerability due to insufficient sanitization of the page parameter in the session/adduserstosession.php endpoint. This issue has been patched in version 1.11.30...
EUVD-2025-208088
Slican NCP/IPL/IPM/IPU devices are vulnerable to PHP Function Injection. An unauthenticated remote attacker is able to execute arbitrary PHP commands by sending specially crafted requests to /webcti/sessionajax.php endpoint. This issue was fixed in version 1.24.0190 Slican NCP and 6.61.0010 Slica...
Uncaught Exception
Overview Affected versions of this package are vulnerable to Uncaught Exception in the session establishment handler process. An attacker can cause the process to panic and terminate by sending a PFCP Session Establishment Request that omits the mandatory F-SEID CPF-SEID Information Element...
PT-2025-52284
Name of the Vulnerable Software and Affected Versions free5GC version 4.1.0 Description An issue exists in the LocalNode.Sess function that could allow attackers to cause a denial of service or other unspecified impacts. This can occur through a crafted header, specifically the Local SEID, within...
CVE-2025-65562
The free5GC UPF suffers from a lack of bounds checking on the SEID when processing PFCP Session Deletion Requests. An unauthenticated remote attacker can send a request with a very large SEID e.g., 0xFFFFFFFFFFFFFFFF that causes an integer conversion/underflow in LocalNode.DeleteSess /...
CVE-2025-65561
An issue was discovered in function LocalNode.Sess in free5GC 4.1.0 allowing attackers to cause a denial of service or other unspecified impacts via crafted header Local SEID to the PFCP Session Modification Request...
EUVD-2025-6203
Malicious code in bioql PyPI...
CVE-2025-25450
An issue in TAAGSOLUTIONS GmbH MyTaag v.2024-11-24 and before allows a remote attacker to escalate privileges via the deactivation of the activated second factor to the /session endpoint...
MyTaag 安全漏洞
MyTaag is a digital business card platform from MyTaag, Inc. designed to help users create, manage and share their professional identities online. A security vulnerability exists in MyTaag v.2024-11-24 and prior versions, which stems from a second factor activated via the /session endpoint...
CVE-2021-22029
VMware Workspace ONE UEM REST API contains a denial of service vulnerability. A malicious actor with access to /API/system/admins/session could cause an API denial of service due to improper rate limiting...
Vmware Workspace One 安全漏洞
Vmware Vmware Workspace One is a platform for supporting cross-device applications for rapid delivery and management of applications from Vmware, USA. The platform, which includes VMware Horizon and VMware Horizon Cloud, integrates access control, application management, and multi-platform endpoi...
PT-2020-12695 · Intuit · Argo
Name of the Vulnerable Software and Affected Versions: Argo version v1.5.0 Description: The issue allowed attackers to determine the usernames of valid non-SSO accounts. This was possible because the /api/v1/session endpoint returned a 401 status code for an existing username and a 404 status cod...
RubyGems: Login credentials transmitted in cleartext on index.rubygems.org
If someone links their target to http://index.rubygems.org then if they click "sign in" their credentials are transmitted plaintext as there is no https redirect or enforcing of https on the login form. Step 1: Link to http://index.rubuygems.org Step 2: sniff traffic open wifi / proxy / etc See t...