135 matches found
Fedora 41 : webkitgtk (2025-059585d039)
The remote Fedora 41 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-059585d039 advisory. Limit the data stored in session state. Remove the empty area below the title bar in Web Inspector when not docked. Fix various crashes and renderin...
ASP.NET Cookieless Session State Enabled
.NET Framework offers an alternative to cookie based session management named 'cookieless' by allowing developers to store the session ID directly in URLs rather than in cookies. When enabled, this feature can be abused to make session hijacking attacks easier to exploit or to craft valid URLs in...
CVE-2022-39268
Impact In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user...
Improper Authentication
Overview nicegui is a Create web-based user interfaces with Python. The nice way. Affected versions of this package are vulnerable to Improper Authentication due to improper clearing of cookies through the handlehttp function of the air.py component. An attacker can gain unauthorized access to th...
Session Appears Down in XenApp Farm and Csrss.exe Process Remains Active in Session
Session appears in astate in the XenApp farm. Csrss.exe process remains active in the session. This generally means that the session had problems on logoff and remains hung until it is manually terminated or the server is restarted. Additionally, if the server has sessions in this state and is...
Insufficiently Protected Credentials
SimpleSAMLphp is vulnerable to Insufficiently Protected Credentials. The vulnerability is due to credentials being insecurely saved to the user's session state when the ECP profile is disabled but supported in the Identity Provider's metadata, which could result in an attacker with administrator...
BIT-TENSORFLOW-2020-15204 Segfault in Tensorflow
In eager mode, TensorFlow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1 does not set the session state. Hence, calling tf.rawops.GetSessionHandle or tf.rawops.GetSessionHandleV2 results in a null pointer dereference In linked snippet, in eager mode, ctx-sessionstate returns nullptr. Since...
CVE-2023-49255 Router console accessible without authentication
The router console is accessible without authentication at "data" field, and while a user needs to be logged in in order to modify the configuration, the session state is shared. If any other user is currently logged in, the anonymous user can execute commands in the context of the authenticated...
Malicious code in fc-session-state (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware ce915f34780e87423580299a1d37897334a16ce4f4031b78bcf4c630cab69513 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2023-366 Malicious code in fc-session-state (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware ce915f34780e87423580299a1d37897334a16ce4f4031b78bcf4c630cab69513 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
SUSE CVE-2009-4136
PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2 does not properly manage session-local state during execution of an index function by a database superuser, which allows remote authenticated users to gain...
SUSE CVE-2012-5886
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 caches information about the authenticated user within the session state, which makes it easier for remote attackers to bypass authentication via vectors related to...
PT-2022-8577 · Mozilla · Vpn
Name of the Vulnerable Software and Affected Versions: Mozilla VPN iOS versions 1.0.7 and earlier Mozilla VPN Windows versions prior to 1.2.2 Mozilla VPN Android versions 1.1.0 and earlier Description: An issue existed in the VPN login flow, where an attacker could craft a custom login URL and...
CVE-2022-39268
Impact In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user...
Design/Logic Flaw
Impact In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user...
CVE-2022-39268 orchest vulnerable to cross-site request forgery that allows control of a user instance
Impact In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user...
CVE-2022-39268 orchest vulnerable to cross-site request forgery that allows control of a user instance
Impact In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user...
CVE-2022-39268
CVE-2022-39268 affects Orchest, specifically the auth-server component. The vulnerability is a Cross‑Site Request Forgery (CSRF) issue where an attacker tricks an innocent user into submitting unintended requests, potentially leaking data or altering session state or user accounts. A fix is avail...
GHSA-9XRJ-439H-62HG Improper Authentication in Apache Tomcat
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 caches information about the authenticated user within the session state, which makes it easier for remote attackers to bypass authentication via vectors related to...
GHSA-HMHQ-382Q-MP56 ClassLoader manipulation in Apache Struts
CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists...