CVE-2024-25977

The application does not change the session token when using the login or logout functionality. An attacker can set a session token in the victim's browser e.g. via XSS and prompt the victim to log in e.g. via a redirect to the login page. This results in the victim's account being taken over...

CVE-2024-56733

Password Pusher is an open source application to communicate sensitive information over the web. A vulnerability has been reported in versions 1.50.3 and prior where an attacker can copy the session cookie before a user logs out, potentially allowing session hijacking. Although the session token ...

CVE-2024-34709

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.0, session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The directussession gets destroyed and the cookie gets deleted but if the cookie value is...

CVE-2024-33932

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Vinod Dalvi Login Logout Register Menu allows Stored XSS.This issue affects Login Logout Register Menu: from n/a through 2.0...

CVE-2024-31927

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Aminur Islam WP Login and Logout Redirect allows Stored XSS.This issue affects WP Login and Logout Redirect: from n/a through 1.2...

CVE-2024-57433

macrozheng mall-tiny 1.0.1 is vulnerable to Incorrect Access Control via the logout function. After a user logs out, their token is still available and fetches information in the logged-in state...

CVE-2024-56311

REDCap through 14.9.6 has a security flaw in the Notes section of calendar events, exposing users to a Cross-Site Request Forgery CSRF attack. An attacker can exploit this by luring users into accessing a calendar event's notes, which triggers a logout request and terminates their session. This...

CVE-2023-31140

OpenProject is open source project management software. Starting with version 7.4.0 and prior to version 12.5.4, when a user registers and confirms their first two-factor authentication 2FA device for an account, existing logged in sessions for that user account are not terminated. Likewise, if a...

CVE-2023-0552

The Registration Forms WordPress plugin before 3.8.2.3 does not properly validate the redirection URL when logging in and login out, leading to an Open Redirect vulnerability...

CVE-2023-26448

Custom log-in and log-out locations are used-defined as jslob but were not checked to contain malicious protocol handlers. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit...

CVE-2023-47870

Cross-Site Request Forgery CSRF, Missing Authorization vulnerability in gVectors Team wpForo Forum wpforo allows Cross Site Request Forgery, Accessing Functionality Not Properly Constrained by ACLs leading to forced all users log out.This issue affects wpForo Forum: from n/a through 2.2.6...

CVE-2023-41648

URL Redirection to Untrusted Site 'Open Redirect' vulnerability in Swapnil V. Patil Login and Logout Redirect.This issue affects Login and Logout Redirect: from n/a through 2.0.3...

CVE-2023-40732

A vulnerability has been identified in QMS Automotive All versions V12.39. The QMS.Mobile module of the affected application does not invalidate the session token on logout. This could allow an attacker to perform session hijacking attacks...

CVE-2023-35857

In Siren Investigate before 13.2.2, session keys remain active even after logging out...

CVE-2023-2415

The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcitalogoutcallback function in versions up to, and including, 4.2.10. This makes it possible for authenticated attacker...

CVE-2023-2822

A vulnerability was found in Ellucian Ethos Identity up to 5.10.5. It has been classified as problematic. Affected is an unknown function of the file /cas/logout. The manipulation of the argument url leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been...

CVE-2023-25454

Missing Authorization vulnerability in Nate Reist Protected Posts Logout Button allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Protected Posts Logout Button: from n/a through 1.4.5...

CVE-2023-2416

The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the vcitalogoutcallback function in versions up to, and including, 4.5. This makes it possible for unauthenticated to logout a vctia...

CVE-2023-44142

Missing Authorization vulnerability in Deepen Bajracharya Inactive Logout inactive-logout allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Inactive Logout: from n/a through = 3.2.2...

CVE-2022-43844

IBM Robotic Process Automation for Cloud Pak 20.12 through 21.0.3 is vulnerable to broken access control. A user is not correctly redirected to the platform log out screen when logging out of IBM RPA for Cloud Pak. IBM X-Force ID: 239081...