Improper Session Management

Keycloak is vulnerable to improper session management. The vulnerability is due to reuse of session identifiers and improper cleanup during logout when browser cookies are missing, which allows an attacker to gain unauthorized access to another user’s active session and receive their authenticati...

Session Fixation

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Session Fixation in the backchannel logout when browser cookies are missing. An attacker using the same brows...

CVE-2025-12390 Org.keycloak.protocol.oidc.endpoints.logoutendpoint: offline session takeover due to reused authentication session id

A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookies are missing. As...

HCL Unica Platform 安全漏洞

HCL Unica Platform is a state-of-the-art enterprise automated marketing platform from HCL India. It handles routine marketing tasks and captures the most effective leads without the need for manual intervention. HCL Unica Platform suffers from a security vulnerability that stems from cookies not...

CVE-2025-53642 haxcms-nodejs and haxcms-php Improperly Terminate Sessions

haxcms-nodejs and haxcms-php are backends for HAXcms. The logout function within the application does not terminate a user's session or clear their cookies. Additionally, the application issues a refresh token when logging out. This vulnerability is fixed in 11.0.6...

DEBIAN-CVE-2025-26844

An issue was discovered in Znuny through 7.1.3. A cookie is set without the HttpOnly flag...

CVE-2023-33860

IBM Security QRadar EDR 3.12 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the...

tomcat: not including the secure attribute causes information disclosure

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure...

BTCPay Server 信息泄露漏洞

BTCPay Server is a self-hosted open source cryptocurrency payment processor. It is secure, private, uncensored and free. A cross-site scripting vulnerability exists in BTCPay Server 1.0.7.0 and earlier versions. The vulnerability stems from a failure to set the HTTPOnly flag for cookies. An...

IBM WebSphere eXtreme Scale Information Disclosure Vulnerability

IBM WebSphere eXtreme Scale is a distributed caching solution. IBM WebSphere Extreme Scale does not set a security flag for session cookies in SSL mode, allowing remote attackers to obtain cookie information by intercepting HTTP sessions...