CVE-2025-13723

IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow an attacker to obtain sensitive user information using an expired access token...

PT-2026-26493

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.52 Parse Server versions prior to 9.6.0-alpha.41 Description A flaw exists in Parse Server that allows an attacker to bypass authentication and log in as any user who has linked a third-party authentication...

PT-2026-25347

IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow an attacker to obtain sensitive user information using an expired access token...

CVE-2024-8642 Eclipse EDC: Consumer pull transfer token validation checks not applied

In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity expiry, not-before, issuance date, which can allow an attacker to bypass the check for token expiration. The issue requires to have ...

The vulnerability of the User InformationHandler component in the control panel of the software platform for integrating IBM App Connect Enterprise applications allows a perpetrator to obtain confidential calendar information using an access token with expired validity.

The vulnerability of the User Information Handler component in the software control panel for IBM App Connect Enterprise integration is related to deficiencies in the authentication process. Exploiting this vulnerability could allow a malicious actor, operating remotely, to obtain confidential...

The vulnerability of the User InformationHandler component in the control panel of the software platform for integrating IBM App Connect Enterprise applications allows a perpetrator to obtain confidential calendar information using an access token with expired validity.

The vulnerability of the User Information Handler component in the software control panel for IBM App Connect Enterprise integration is related to deficiencies in the authentication process. Exploiting this vulnerability could allow a malicious actor, operating remotely, to obtain confidential...

CVE-2023-40025

A flaw was found in Argo CD. Affected versions of Argo CD have a bug where open web terminal sessions do not expire. This bug allows users to send WebSocket messages even if the token has expired. The most straightforward scenario occurs when a user opens the terminal view and leaves it open for ...

CVE-2024-31893

IBM App Connect Enterprise 12.0.1.0 through 12.0.12.1 could allow an authenticated user to obtain sensitive calendar information using an expired access token. IBM X-Force ID: 288174...

IBM App Connect Enterprise 安全漏洞

IBM App Connect Enterprise is an operating system from International Business Machines IBM.IBM App Connect Enterprise combines existing industry-trusted IBM Integration Bus technology with IBM App Connect Professional and new cloud-native IBM App Connect Enterprise combines existing...

IBM App Connect Enterprise 安全漏洞

IBM App Connect Enterprise is an operating system from International Business Machines IBM, Inc. that combines existing industry-trusted IBM Integration Bus technology with IBM App Connect Professional and new cloud-native IBM App Connect Enterprise combines existing industry-trusted IBM...

IBM App Connect Enterprise 安全漏洞

IBM App Connect Enterprise is an operating system from International Business Machines IBM, Inc. that combines existing industry-trusted IBM Integration Bus technology with IBM App Connect Professional and new cloud-native IBM App Connect Enterprise combines existing industry-trusted IBM...

OpenStack Identity (Keystone) Multiple vulnerabilities in revocation events

The MySQL token driver in OpenStack Identity Keystone 2014.1.x before 2014.1.2.1 and Juno before Juno-3 stores timestamps with the incorrect precision, which causes the expiration comparison for tokens to fail and allows remote authenticated users to retain access via an expired token...

in cortezaproject/corteza-server

Setup the application on your local system. Steps: -------- 1. Login in application and navigate to the settings, where change the user password and capture the request in burp suit. 2. Now logout from application and copy the Authorization token. 3. After logout the authorization token must be...

PT-2021-20923 · Unknown · Lemonldap::Ng

Name of the Vulnerable Software and Affected Versions: LemonLDAP::NG versions 2.0.4 through 2.0.12 Description: An issue was discovered in the OAuth2.0 handler where it does not verify access token validity due to a missing expiration check. This allows an attacker to use an expired access token...

SaltStack < 3002.5 Multiple Vulnerabilities

According to its self-reported version number, the instance of SaltStack hosted on the remote server is affected by multiple vulnerabilities: - The Salt-API’s SSH client is vulnerable to a shell injection by including ProxyCommand in an argument, or via sshoptions provided in an API request...

CVE-2020-1725

A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token...

Spree Authorization Issues Vulnerability

Spree is a personal developer of an open source mall developed using Ruby on Rails. An authorization issue vulnerability exists in Spree version 3.7.11, version 4.0.4, and versions prior to 4.1.11, which stems from an expired user token that can be used to access the storefront API v2 endpoint. A...

Ensure that doorkeeper_token is valid when authenticating requests in API v2 calls

Impact The perpetrator who previously obtained an old expired user token could use it to access Storefront API v2 endpoints. Patches Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version...

Omise: Authenticity token doesnt expire after single use leading to CSRF

Summary Once you said that you ruby framework for making the authenticity-token which acts as a CSRF protection. You also send me this as to help me understand https://medium.com/rubyinside/a-deep-dive-into-csrf-protection-in-rails-19fa0a42c0ef . After finding i found that an authenticity-token c...

Nextcloud: Password reset link remains valid after email change

Hey! I found a token miss configuration flaw in Nextcloud 9.0.50 Latest version, When we reset password for a user a link is sent to the registered email address but incase it remain unused and email is updated by user from control panel then too that old token reset link sent at old email addres...