Lucene search
K

564 matches found

Vulnrichment
Vulnrichment
added 2026/04/01 10:56 p.m.2 views

CVE-2025-66483 Multiple vulnerabilities have been addressed in IBM Aspera Shares

IBM Aspera Shares 1.9.9 through 1.11.0 does not invalidate session after a password reset which could allow an authenticated user to impersonate another user on the system...

6.3CVSS5.9AI score0.00176EPSS
Exploits0References1
CVE
CVE
added 2026/04/01 10:56 p.m.13 views

CVE-2025-66483

IBM Aspera Shares versions 1.9.9–1.11.0 are affected by an access control issue where a password reset does not invalidate the existing session, enabling an authenticated user to impersonate another user. The issue is documented across multiple sources (NVD, Red Hat, CNVD, EU ENISA, etc.) with th...

6.5CVSS5.9AI score0.00176EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2026/04/01 10:9 p.m.4 views

GHSA-8FQ3-C5W3-PJ3Q CI4MS: Account Deactivation Module Grants Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)

Summary Vulnerability: Improper Session Invalidation on Account Deactivation Broken Access Control / Logic Flaw - This vulnerability is caused by a backend logic flaw that maintains a false trust assumption that already-authenticated users remain trustworthy, even after their accounts are...

8.8CVSS5.8AI score0.00502EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/04/01 10:9 p.m.11 views

CI4MS: Account Deactivation Module Grants Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)

Summary Vulnerability: Improper Session Invalidation on Account Deactivation Broken Access Control / Logic Flaw - This vulnerability is caused by a backend logic flaw that maintains a false trust assumption that already-authenticated users remain trustworthy, even after their accounts are...

8.8CVSS5.8AI score0.00502EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/04/01 10:8 p.m.5 views

GHSA-4VXV-4XQ4-P84H CI4MS: Account Deletion Module Grants Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)

Summary Vulnerability: Improper Session Invalidation on Account Deletion Broken Access Control / Logic Flaw - This vulnerability is caused by a backend logic flaw that maintains a false trust assumption that already-authenticated users remain trustworthy, even after their accounts are explicitly...

8.8CVSS5.8AI score0.00502EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/04/01 10:8 p.m.7 views

CI4MS: Account Deletion Module Grants Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)

Summary Vulnerability: Improper Session Invalidation on Account Deletion Broken Access Control / Logic Flaw - This vulnerability is caused by a backend logic flaw that maintains a false trust assumption that already-authenticated users remain trustworthy, even after their accounts are explicitly...

8.8CVSS5.8AI score0.00502EPSS
Exploits1References4Affected Software1
Snyk
Snyk
added 2026/04/01 10:8 p.m.3 views

Incorrect Comparison Logic Granularity

Overview ci4-cms-erp/ci4ms is a composer create-project ci4-cms-erp/ci4ms Affected versions of this package are vulnerable to Incorrect Comparison Logic Granularity due to improper session invalidation in the account deletion process. An attacker can maintain persistent access to protected...

8.8CVSS5.8AI score0.00502EPSS
Exploits1References4
Cvelist
Cvelist
added 2026/04/01 9:35 p.m.26 views

CVE-2026-34572 CI4MS: Account Deactivation Module Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deactivated. Due to a logic flaw in the...

8.8CVSS0.00502EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/04/01 9:35 p.m.3 views

CVE-2026-34572 CI4MS: Account Deactivation Module Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deactivated. Due to a logic flaw in the...

8.8CVSS5.8AI score0.00502EPSS
Exploits1References2
CVE
CVE
added 2026/04/01 9:35 p.m.14 views

CVE-2026-34572

CI4MS is a CodeIgniter 4-based CMS skeleton. Before version 0.31.0.0, deactivated accounts do not have their active sessions revoked promptly; authentication-only enforcement allows already-authenticated users to retain access. The root cause is a backend logic flaw where account state changes ar...

8.8CVSS5.8AI score0.00502EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/01 9:30 p.m.4 views

CVE-2026-34570 CI4MS: Account Deletion Module Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deleted. Due to a logic flaw in the backend...

8.8CVSS5.8AI score0.00502EPSS
Exploits1References2
CVE
CVE
added 2026/04/01 9:30 p.m.9 views

CVE-2026-34570

CI4MS is a CodeIgniter 4-based CMS skeleton. Before version 0.31.0.0, it does not immediately revoke active sessions when an account is deleted due to a backend logic flaw that enforces account state changes only at login, leaving existing sessions valid indefinitely. This allows deleted accounts...

8.8CVSS5.8AI score0.00502EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/04/01 9:30 p.m.19 views

CVE-2026-34570 CI4MS: Account Deletion Module Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deleted. Due to a logic flaw in the backend...

8.8CVSS0.00502EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/04/01 12:0 a.m.5 views

PT-2026-29641

CVE-2025-66483 IBM Aspera Shares 1.9.9 through 1.11.0 does not invalidate session after a password reset which could allow an authenticated user to impersonate another user on the s… https://t.co/iUXS2ts14j...

6.3CVSS5.9AI score0.00176EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/03/27 5:9 p.m.7 views

CVE-2025-55264

HCL Aftermarket DPC is affected by Failure to Invalidate Session on Password Change will allow attacker to access to a session, then they can maintain control over the account despite the password change leading to account takeover...

5.5CVSS5.9AI score0.00118EPSS
Exploits0References1
EUVD
EUVD
added 2026/03/26 3:30 p.m.3 views

EUVD-2025-209085

HCL Aftermarket DPC is affected by Failure to Invalidate Session on Password Change will allow attacker to access to a session, then they can maintain control over the account despite the password change leading to account takeover...

5.5CVSS5.8AI score0.00118EPSS
Exploits0References2
NVD
NVD
added 2026/03/26 2:16 p.m.3 views

CVE-2025-55264

HCL Aftermarket DPC is affected by Failure to Invalidate Session on Password Change will allow attacker to access to a session, then they can maintain control over the account despite the password change leading to account takeover...

5.5CVSS0.00118EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/26 1:4 p.m.1 views

CVE-2025-55264 HCL Aftermarket DPC is affected by Failure to Invalidate Session on Password Change

HCL Aftermarket DPC is affected by Failure to Invalidate Session on Password Change will allow attacker to access to a session, then they can maintain control over the account despite the password change leading to account takeover...

5.5CVSS5.8AI score0.00118EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/03/26 1:4 p.m.1 views

CVE-2025-55264

HCL Aftermarket DPC is affected by Failure to Invalidate Session on Password Change will allow attacker to access to a session, then they can maintain control over the account despite the password change leading to account takeover...

5.5CVSS5.8AI score0.00118EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/03/26 1:4 p.m.8 views

CVE-2025-55264

CVE-2025-55264 concerns HCL Aftermarket DPC, where a failure to invalidate sessions on password change can allow an attacker to retain access and maintain account control after a password update. The vulnerability description indicates a session persistence issue potentially enabling account take...

5.5CVSS5.8AI score0.00118EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder