CVE-2024-25977 Session Fixation

The application does not change the session token when using the login or logout functionality. An attacker can set a session token in the victim's browser e.g. via XSS and prompt the victim to log in e.g. via a redirect to the login page. This results in the victim's account being taken over...

CVE-2024-25977

CVE-2024-25977 corresponds to a session-fixation vulnerability in the HAWKI interface (HAWK Digital Environments). The issue arises because the application does not change the session token on login/logout, allowing an attacker to set a victim’s token (e.g., via XSS) and prompt login, resulting i...

HAWKI 跨站脚本漏洞

HAWKI is a university teaching interface based on the OpenAI API by the HAWK Digital Environments team in Germany. HAWKI suffers from a cross-site scripting vulnerability that stems from the application not changing the session token when using the login or logout function, leading to a takeover ...

PT-2024-21251 · Interaction Design Team At The University Of Applied Sciences Arts In Hildesheim/Germany +1 · Hawki

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned. Description: The application does not change the session token when using the login or logout functionality. An attacker can set a session token in the victim's browser, for example via XSS, and...

Session Hijacking

illuminate/auth is vulnerable to Session Hijacking. The vulnerability is due to insecure handling of "remember me" cookies, where previously hijacked cookies would remain valid even after the user's password was reset or they logged out...

PT-2024-40229 · Unknown · Php-Saml Toolkit

Name of the Vulnerable Software and Affected Versions: php-saml toolkit affected versions not specified Description: The issue arises from the implicit conversion of numerical values to boolean in PHP, which can lead to an error state being treated as a successful signature verification...

SAP BusinessObjects Business Intelligence Platform Multiple Vulnerabilities (May 2024)

The version of SAP BusinessObjects Business Intelligence Platform installed on the remote Windows host is potentially affected by the following vulnerabilities: - A cross-site scripting XSS vulnerability exists in the Opendocument URL due to improper validation of user-supplied input before...

GHSA-PRPF-CJ87-HWVR Magento Patch SUPEE-10752 - Multiple security enhancements vulnerabilities

Magento Commerce 1.14.3.9 and Open Source 1.9.3.9 bring essential security enhancements with Patch SUPEE-10752. These updates address various vulnerabilities, including authenticated Admin user remote code execution RCE, cross-site request forgery CSRF, and more. Key Security Improvements: -...

Improper Session Management

reportico-web/reportico is vulnerable to Improper Session Management. The vulnerability is due to improper handling of session tokens, which allows an attacker to reuse a token after a user has logged out...

Reportico Web fails to invalidate cookies upon logout

An issue in Reportico Web before v.8.1.0. This vulnerability arises from the failure of the web application to properly invalidate session cookies upon logout. When a user logs out of the application, the session cookie should be invalidated to prevent unauthorized access. However, due to the...

GHSA-2Q2F-H83X-CX3X Reportico Web fails to invalidate cookies upon logout

An issue in Reportico Web before v.8.1.0. This vulnerability arises from the failure of the web application to properly invalidate session cookies upon logout. When a user logs out of the application, the session cookie should be invalidated to prevent unauthorized access. However, due to the...

CVE-2024-33004

SAP Business Objects Business Intelligence Platform is vulnerable to Insecure Storage as dynamic web pages are getting cached even after logging out. On successful exploitation, the attacker can see the sensitive information through cache and can open the pages causing limited impact on...

CVE-2024-3460

In KioWare for Windows versions all through 8.34 it is possible to exit this software and use other already opened applications utilizing a short time window before the forced automatic logout occurs. Then, by using some built-in function of these applications, one may launch any other programs. ...

CVE-2024-3460

In KioWare for Windows versions all through 8.34 it is possible to exit this software and use other already opened applications utilizing a short time window before the forced automatic logout occurs. Then, by using some built-in function of these applications, one may launch any other programs. ...

CVE-2024-35049

SurveyKing v1.3.1 was discovered to keep users' sessions active after logout. Related to an incomplete fix for CVE-2022-25590...

CVE-2024-35049

SurveyKing v1.3.1 was discovered to keep users' sessions active after logout. Related to an incomplete fix for CVE-2022-25590...

SurveyKing 安全漏洞

SurveyKing is a powerful questionnaire system and exam system for javahuang individual developers. A security vulnerability exists in SurveyKing v1.3.1, which stems from the ability to keep a session active after a user logs out...

PT-2024-24139 · Unknown · Reportico Web

Name of the Vulnerable Software and Affected Versions: Reportico Web versions prior to 8.1.0 Description: The issue allows a local attacker to execute arbitrary code and obtain sensitive information via the sessionid function. This vulnerability arises from the failure of the web application to...

PT-2024-25050 · Sap · Sap Businessobjects Business Intelligence Platform

Name of the Vulnerable Software and Affected Versions: SAP Business Objects Business Intelligence Platform affected versions not specified Description: The issue concerns insecure storage where dynamic web pages are cached even after a user logs out. This allows an attacker to potentially view...

GHSA-G65H-35F3-X2W3 Directus Lacks Session Tokens Invalidation

Summary Currently session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The directussession gets destroyed and the cookie gets deleted but if you captured the cookie value it will still work for the entire expiry time which is set to 1 day by...