CVE-2019-10157

It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could prevent user access...

CVE-2019-10157

It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could prevent user access...

Design/Logic Flaw

A vulnerability has been identified in SIEMENS LOGO!8 6ED1052-xyyxx-0BA8 FS:01 to FS:06 / Firmware version V1.80.xx and V1.81.xx, SIEMENS LOGO!8 6ED1052-xyy08-0BA0 FS:01 / Firmware version V1.82.02. The integrated webserver does not invalidate the Session ID upon user logout. An attacker that...

Code injection

It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could prevent user access...

CVE-2019-6584

A vulnerability has been identified in SIEMENS LOGO!8 6ED1052-xyyxx-0BA8 FS:01 to FS:06 / Firmware version V1.80.xx and V1.81.xx, SIEMENS LOGO!8 6ED1052-xyy08-0BA0 FS:01 / Firmware version V1.82.02. The integrated webserver does not invalidate the Session ID upon user logout. An attacker that...

keycloak: Node.js adapter internal NBF can be manipulated leading to DoS.

It was found that Keycloak's Node.js adapter did not properly verify the web token received from the server in its backchannel logout. An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could prevent user access indefinitely...

CVE-2019-7215

Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. It instead tries to overwrite the cookie in the browser, but it remains valid on the server side. This means the cookie can be reused to maintain access to the account, even if the account credentials and permissions...

CVE-2019-7215

Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. It instead tries to overwrite the cookie in the browser, but it remains valid on the server side. This means the cookie can be reused to maintain access to the account, even if the account credentials and permissions...

CVE-2019-5627

The iOS mobile application BlueCats Reveal before 5.14 stores the username and password in the app cache as base64 encoded strings, i.e. clear text. These persist in the cache even if the user logs out. This can allow an attacker to compromise the affected BlueCats network implementation. The...

Amazon Linux 2 : mod_auth_mellon (ALAS-2019-1200)

A vulnerability was found in a previous version of modauthmellon. An open redirect in the logout URL allows requests with backslashes to pass through by assuming that it is a relative URL, while the browsers silently convert backslash characters into forward slashes treating them as an absolute...

CVE-2018-20839

systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE aka current keyboard mode check is mishandled...

Code injection

systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE aka current keyboard mode check is mishandled...

DEBIAN-CVE-2018-20839

systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE aka current keyboard mode check is mishandled...

Open Redirection

modauthmellon is vulnerable to open redirection vulnerability. An open redirect in the logout URL allows requests with backslashes to pass through by assuming that it is a relative URL, while the browsers silently convert backslash characters into forward slashes treating them as an absolute URL...

Important: mod_auth_mellon

Issue Overview: A vulnerability was found in a previous version of modauthmellon. An open redirect in the logout URL allows requests with backslashes to pass through by assuming that it is a relative URL, while the browsers silently convert backslash characters into forward slashes treating them ...

CVE-2018-7064

A reflected cross-site scripting XSS vulnerability is present in an unauthenticated Aruba Instant web interface. An attacker could use this vulnerability to trick an IAP administrator into clicking a link which could then take administrative actions on the Instant cluster, or expose the session...

Command injection

The Rediffmail aka com.rediff.mail.and application 2.2.6 for Android has cleartext mail content in file storage, persisting after a logout...

CVE-2019-11836

The Rediffmail aka com.rediff.mail.and application 2.2.6 for Android has cleartext mail content in file storage, persisting after a logout...

CVE-2019-11836

The Rediffmail aka com.rediff.mail.and application 2.2.6 for Android has cleartext mail content in file storage, persisting after a logout...

CVE-2019-11836

The CVE-2019-11836 entry applies to the Rediffmail Android app (com.rediff.mail.and) version 2.2.6. Description: cleartext mail content is stored in device file storage and persists after logout, exposing potentially sensitive data. The connected documents confirm affected software and the root c...