13 matches found
CVE-2026-41519 Weblate's API Token Not Invalidated on Password Change
Weblate is a web based localization tool. Prior to version 5.17.1, when a user changes their password, browser sessions are correctly invalidated via "cyclesessionkeys", but DRF API tokens "wlu" prefix stored in "authtokentoken" are not revoked. This issue has been patched in version 5.17.1...
CVE-2026-30224
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry default ≈ 1 year...
CVE-2025-62174
Summary: Mastodon prior to versions 4.4.6, 4.3.14, and 4.2.27 fails to revoke active sessions and access tokens when an admin resets a user password via the CLI command bin/tootctl accounts modify --reset-password, allowing continued use of the account by an attacker with a compromised session/to...
EUVD-2025-24832
Malicious code in bioql PyPI...
Linux Distros Unpatched Vulnerability : CVE-2020-13307
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was not revoking current user sessions when 2 factor authentication...
CVE-2025-27847
In ESPEC North America Web Controller 3 before 3.3.8, /api/v4/auth/ users session privileges are not revoked on logout...
CVE-2025-27847
In ESPEC North America Web Controller 3 before 3.3.8, /api/v4/auth/ users session privileges are not revoked on logout...
CVE-2025-27847
CVE-2025-27847 affects ESPEC North America Web Controller 3 (prior to 3.3.8). The issue is that user session privileges are not revoked on logout via the /api/v4/auth/ endpoint, which can allow continued access after logout. CVSS v3.1 metrics indicate a Medium impact with Privileges Required: Non...
CVE-2024-56351
In JetBrains TeamCity before 2024.12 access tokens were not revoked after removing user roles...
SUSE CVE-2020-13230
In Cacti before 1.2.11, disabling a user account does not immediately invalidate any permissions granted to that account e.g., permission to view logs...
pki-core: Unprivileged users can renew any certificate
A flaw was found in pki-core. An attacker who has successfully compromised a key could use this flaw to renew the corresponding certificate over and over again, as long as it is not explicitly revoked. The highest threat from this vulnerability is to data confidentiality and integrity...
CVE-2020-15950
Immuta v2.8.2 is affected by improper session management: user sessions are not revoked upon logout...
UBUNTU-CVE-2019-14879
A vulnerability was found in Moodle versions 3.7.x before 3.7.3, 3.6.x before 3.6.7 and 3.5.x before 3.5.9. When a cohort role assignment was removed, the associated capabilities were not being revoked where applicable...