PT-2023-8428 · Nextcloud +1 · Nextcloud Server +2

Name of the Vulnerable Software and Affected Versions: Nextcloud Server versions prior to 25.0.6 Nextcloud Server versions prior to 26.0.1 Description: A regression in the session handling between Nextcloud Server and the Nextcloud Text app prevented a correct destruction of the session on logout...

Nextcloud Server 25.0.2 < 25.0.6, 26.0.x < 26.0.1 Insufficient Session Expiration Vulnerability (GHSA-q8c4-chpj-6v38)

Nextcloud Server is prone to an insufficient session expiration vulnerability. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

User session not correctly destroyed on logout

None...

CVE-2023-2822

A vulnerability was found in Ellucian Ethos Identity up to 5.10.5. It has been classified as problematic. Affected is an unknown function of the file /cas/logout. The manipulation of the argument url leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been...

Ellucian 跨站脚本漏洞

Ellucian is Ellucian's open and flexible technology ecosystem supporting SaaS. A cross-site scripting vulnerability exists in Ellucian Ethos Identity versions prior to 5.10.5, which stems from the presence of an unknown function in the file /cas/logout that leads to cross-site scripting via the...

PT-2023-21637 · Ellucian · Ellucian Ethos Identity

Name of the Vulnerable Software and Affected Versions: Ellucian Ethos Identity versions up to 5.10.5 Description: A problematic issue has been found in Ellucian Ethos Identity, where the manipulation of the url argument in an unknown function of the file /cas/logout leads to cross-site scripting...

Siemens SICAM P850 and P855 Devices Session Fixation (CVE-2022-40226)

A vulnerability has been identified in SICAM P850 All versions V3.10, SICAM P855 All versions V3.10. Affected devices accept user defined session cookies and do not renew the session cookie after login/logout. This could allow an attacker to take over another user's session after login. This plug...

CVE-2023-31140 OpenProject user sessions not terminated after activation of 2FA

OpenProject is open source project management software. Starting with version 7.4.0 and prior to version 12.5.4, when a user registers and confirms their first two-factor authentication 2FA device for an account, existing logged in sessions for that user account are not terminated. Likewise, if a...

CVE-2020-4914

IBM Cloud Pak System Suite 2.3.3.0 through 2.3.3.5 does not invalidate session after logout which could allow a local user to impersonate another user on the system. IBM X-Force ID: 191290...

IBM Cloud Pak System 代码问题漏洞

IBM Cloud Pak System is a full-stack, converged infrastructure with configurable, pre-integrated software from International Business Machines IBM. The product supports deploying, managing and moving application environments across hybrid clouds. A code issue vulnerability exists in IBM Cloud Pak...

Weblate: Logging in without knowing credentials after logged out action

A vulnerability was discovered where a user could remain logged in to a website even after logging out, and the next person who accesses the site could be automatically logged in as the previous user without needing their credentials. This could potentially lead to sensitive data exposure and...

Weblate: CSRF with logout action

A vulnerability was discovered in Weblate that allowed a bad actor to log out a user by tricking them into clicking a specially crafted link or button. This vulnerability was caused by a lack of CSRF protection on the logout action...

OESA-2023-1236 mod_auth_openidc security update

This module enables an Apache 2.x web server to operate as an OpenID Connect Relying PartyRP to an OpenID Connect ProviderOP. Security Fixes: modauthopenidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. Versions prior to 2.4.12.2 are vulnerable to...

Improper Logout Implementation

spring-security-web is vulnerable to Improper Logout Implementation. The vulnerability exists in the SwitchUserFilter.java because it does not properly clean the security context if using serialized versions, which allows an attacker to stay authenticated even after they perform a logout...

PT-2023-18362 · Unknown · Rosariosis

Name of the Vulnerable Software and Affected Versions: RosarioSIS versions prior to 10.9.3 Description: The issue allows a user to access a page containing personally identifiable information PII and sensitive information after logging out of the application by using the browser's back button. Th...

GHSA-X873-6RGC-94JC Spring Security logout not clearing security context

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the...

Spring Security logout not clearing security context

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the...

CVE-2023-20862

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the...

CVE-2023-20862

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the...

Design/Logic Flaw

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the...