64 matches found
EUVD-2015-3258
Malware in sbrugna...
EUVD-2022-3920
Malicious code in bioql PyPI...
EUVD-2025-14293
Malicious code in bioql PyPI...
CVE-2024-52311
The CVE-2024-52311 entry concerns data.all (data-dot-all) where authentication tokens issued via Cognito are not invalidated on user logout. This allows a previously authenticated user to continue making authorized API requests until the Cognito token expires. The available connected documents id...
PT-2024-39043 · Brevo · The Newsletter
Name of the Vulnerable Software and Affected Versions: The Newsletter, SMTP, Email marketing and Subscribe forms by Brevo plugin for WordPress versions up to, and including, 3.1.87 Description: The issue is due to missing or incorrect nonce validation on the Init function, making it possible for...
CVE-2023-46241 Potential account take over due to unverified emails from Microsoft Identity Platform
discourse-microsoft-auth is a plugin that enables authentication via Microsoft. On sites with the discourse-microsoft-auth plugin enabled, an attack can potentially take control of a victim's Discourse account. Sites that have configured their application's account type to any options other than...
How to lock out your ex-partner from your smart home
Stalkers can use all kinds of apps, gadgets, devices, and phones to spy on their targets, which are often their ex-partners. Unfortunately, while they no doubt have many positive uses, smart home devices give stalkers an array of tools to keep an eye on their targets. If you are the partner that...
CVE-2023-49091
Cosmos provides users the ability self-host a home server by acting as a secure gateway to your application, as well as a server manager. Cosmos-server is vulnerable due to to the authorization header used for user login remaining valid and not expiring after log out. This vulnerability allows an...
CVE-2023-49091
CVE-2023-49091 affects Cosmos-server. The vulnerability arises because the authorization header token used for user login remains valid after logout, allowing an attacker to access the application/system even after the user has logged out. Impact is described as high/critical in multiple sources,...
CVE-2023-37504
HCL Compass is vulnerable to failure to invalidate sessions. The application does not invalidate authenticated sessions when the log out functionality is called. If the session identifier can be discovered, it could be replayed to the application and used to impersonate the user...
Rockwell Automation Pavilion8 License Issue Vulnerability
Rockwell Automation Pavilion8 is a model prediction console from Rockwell Automation. Rockwell Automation Pavilion8 suffers from an authorization issue vulnerability that stems from the fact that the JMX Console is publicly available to users and does not require authentication. An attacker could...
Authentication flaw
The JMX Console within the Rockwell Automation Pavilion8 is exposed to application users and does not require authentication. If exploited, a malicious user could potentially retrieve other application users’ session data and or log users out of their session...
CVE-2023-26448
Custom log-in and log-out locations are used-defined as jslob but were not checked to contain malicious protocol handlers. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit...
Code injection
Custom log-in and log-out locations are used-defined as jslob but were not checked to contain malicious protocol handlers. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit...
CVE-2023-26448
Custom log-in and log-out locations are used-defined as jslob but were not checked to contain malicious protocol handlers. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit...
CVE-2023-2187
On Triangle MicroWorks' SCADA Data Gateway version = v5.01.03, an unauthenticated attacker can send broadcast events to any user via the WebMonitor.An unauthenticated user can use this vulnerability to forcefully log out of any currently logged-in user by sending a "password change event"...
Design/Logic Flaw
On Triangle MicroWorks' SCADA Data Gateway version = v5.01.03, an unauthenticated attacker can send broadcast events to any user via the WebMonitor.An unauthenticated user can use this vulnerability to forcefully log out of any currently logged-in user by sending a "password change event"...
CVE-2023-2187
CVE-2023-2187 affects Triangle MicroWorks’ SCADA Data Gateway (versions
CVE-2023-2187
On Triangle MicroWorks' SCADA Data Gateway version = v5.01.03, an unauthenticated attacker can send broadcast events to any user via the WebMonitor.An unauthenticated user can use this vulnerability to forcefully log out of any currently logged-in user by sending a "password change event"...
Insufficient Session Expiration
grumpydictator/firefly-iii is vulnerable to Insufficient Session Expiration. The vulnerability exists due to improper session configurations in session.php which allows an authenticated remote attacker to reuse session tokens because they do not expire after log out...