564 matches found
Insufficient Session Expiration
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Insufficient Session Expiration due to the failure to invalidate active session tokens after a password change. An attacker can maintain unauthorized access by continuing to use a previously established...
EUVD-2025-197620
Flowise Fails to Invalidate Existing Sessions After Password Changes...
Flowise Fails to Invalidate Existing Sessions After Password Changes
Summary Failure to Invalidate Existing Sessions After Password Change Persistent Session / Session Invalidity Failure. Details After a user changes their password, the application does not invalidate other active sessions or session tokens that were established before the change. An attacker who...
GHSA-X7RP-QJ2H-GHGW Flowise Fails to Invalidate Existing Sessions After Password Changes
Summary Failure to Invalidate Existing Sessions After Password Change Persistent Session / Session Invalidity Failure. Details After a user changes their password, the application does not invalidate other active sessions or session tokens that were established before the change. An attacker who...
CVE-2025-64489 SuiteCRM: Privilege Escalation via Improper Session Invalidation and Inactive User Bypass
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Versions 7.14.7 and prior, 8.0.0-beta.1 through 8.9.0 contain a privilege escalation vulnerability where user sessions are not invalidated upon account deactivation. An inactive user with an...
CVE-2025-64489 SuiteCRM: Privilege Escalation via Improper Session Invalidation and Inactive User Bypass
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Versions 7.14.7 and prior, 8.0.0-beta.1 through 8.9.0 contain a privilege escalation vulnerability where user sessions are not invalidated upon account deactivation. An inactive user with an...
CVE-2025-64489
CVE-2025-64489 (SuiteCRM) : Privilege escalation due to improper session invalidation after account deactivation. A user with a deactivated account but an active session can access the app and self-reactivate, enabling unauthorized persistence. Affected versions: 7.14.7 and earlier, and 8.0.0-bet...
CVE-2024-13996
Nagios XI versions prior to 2024R1.1.3 did not invalidate all other active sessions for a user when that user's password was changed. As a result, any pre-existing sessions including those potentially controlled by an attacker remained valid after a credential update. This insufficient session...
EUVD-2025-37392
Summer Pearl Group Vacation Rental Management Platform prior to v1.0.2 does not properly invalidate active user sessions after a password change. This allows an attacker with a valid session token to maintain access to the account even after the legitimate user changes their password...
CVE-2025-63563
Summer Pearl Group Vacation Rental Management Platform prior to v1.0.2 does not properly invalidate active user sessions after a password change. This allows an attacker with a valid session token to maintain access to the account even after the legitimate user changes their password...
CVE-2025-63563
Summer Pearl Group Vacation Rental Management Platform prior to v1.0.2 does not properly invalidate active user sessions after a password change. This allows an attacker with a valid session token to maintain access to the account even after the legitimate user changes their password...
EUVD-2024-55047
Nagios XI versions prior to 2024R1.1.3 did not invalidate all other active sessions for a user when that user's password was changed. As a result, any pre-existing sessions including those potentially controlled by an attacker remained valid after a credential update. This insufficient session...
CVE-2025-63563
The CVE-2025-63563 affects Summer Pearl Group Vacation Rental Management Platform prior to v1.0.2. The root cause is improper invalidation of active sessions after a password change, enabling an attacker with a valid session token to retain access after the legitimate user changes their password....
CVE-2025-63563
Summer Pearl Group Vacation Rental Management Platform prior to v1.0.2 does not properly invalidate active user sessions after a password change. This allows an attacker with a valid session token to maintain access to the account even after the legitimate user changes their password...
CVE-2025-63563
Summer Pearl Group Vacation Rental Management Platform prior to v1.0.2 does not properly invalidate active user sessions after a password change. This allows an attacker with a valid session token to maintain access to the account even after the legitimate user changes their password...
CVE-2024-13996
Nagios XI versions prior to 2024R1.1.3 did not invalidate all other active sessions for a user when that user's password was changed. As a result, any pre-existing sessions including those potentially controlled by an attacker remained valid after a credential update. This insufficient session...
CVE-2024-13996
Nagios XI versions prior to 2024R1.1.3 did not invalidate all other active sessions for a user when that user's password was changed. As a result, any pre-existing sessions including those potentially controlled by an attacker remained valid after a credential update. This insufficient session...
CVE-2024-13996
CVE-2024-13996 affects Nagios XI prior to 2024R1.1.3. The issue is that changing a user password does not invalidate all other active sessions, allowing pre-existing sessions (potentially attacker-controlled) to remain valid and permit continued unauthorized access to user data and actions. Multi...
CVE-2024-13996 Nagios XI < 2024R1.1.3 Session Not Invalidated After Password Change
Nagios XI versions prior to 2024R1.1.3 did not invalidate all other active sessions for a user when that user's password was changed. As a result, any pre-existing sessions including those potentially controlled by an attacker remained valid after a credential update. This insufficient session...
CVE-2025-60425
CVE-2025-60425 affects Nagios Fusion v2024R1.2 and v2024R2. The root cause is failure to invalidate existing session tokens when two-factor authentication is enabled, enabling session hijacking attacks. The CVSSv3.1 base score is 8.6 (HIGH) with network attack vector, no user interaction, and no ...