28 matches found
CVE-2025-57766
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained session tokens through other attack vectors such as XSS ca...
Fides' Admin UI User Password Change Does Not Invalidate Current Session
Summary Admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained session tokens through other attack vectors such as XSS can maintain access even after password reset. This issue is not directly...
PT-2025-36626
Summary Insecure session handling opened room for a privilege escalation scenario in which prebuilt workspaces could be compromised by abusing a shared system identity. Details Coder automatically generates a session token for a user when a workspace is started. It is automatically exposed via...
CVE-2021-26921
In util/session/sessionmanager.go in Argo CD before 1.8.4, tokens continue to work even when the user account is disabled...
CVE-2025-24896 Misskey allows token to remain valid in cookie after signing out
Misskey is an open source, federated social media platform. Starting in version 12.109.0 and prior to version 2025.2.0-alpha.0, a login token named token is stored in a cookie for authentication purposes in Bull Dashboard, but this remains undeleted even after logout is performed. The primary...
Unspecified Vulnerability in JetBrains TeamCity
JetBrains TeamCity is a Continuous Integration CI/CD tool that is primarily used to automate the software build, test, and deployment process. A security vulnerability exists in JetBrains TeamCity that can be exploited by an attacker to cause access tokens to continue to work after they have been...
PT-2021-17177 · Argo Cd · Argo Cd
Name of the Vulnerable Software and Affected Versions: Argo CD versions prior to 1.8.4 Description: The issue arises from the fact that tokens remain active even after the associated user account has been disabled. This is due to a problem in the util/session/sessionmanager.go file...
CVE-2020-9482
If NiFi Registry 0.1.0 to 0.5.0 uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi Registry invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging ou...