18 matches found
CVE-2026-1435 Incorrect management of session invalidation vulnerability in Graylog Web Interface
Not properly invalidated session vulnerability in Graylog Web Interface, version 2.2.3, due to incorrect management of session invalidation after new logins. The application generates a new 'sessionId' each time a user authenticates, but does not invalidate previously issued session identifiers,...
CVE-2025-43819
A Insufficient Session Expiration vulnerability in the Liferay Portal 7.4.3.121 through 7.3.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.3, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, and 2024.Q1.1 through 2024.Q1.12 is allow an remote non-authenticated attacker to reuse old...
CVE-2024-49709
Internet Starter, one of SoftCOM iKSORIS system modules, allows for setting an arbitrary session cookie value. An attacker with an access to user's browser might set such a cookie, wait until the user logs in and then use the same cookie to take over the account. Moreover, the system does not...
CVE-2022-1155
Old sessions are not blocked by the login enable function. in GitHub repository snipe/snipe-it prior to 5.3.10...
PT-2025-3303 · Mailcow · Mailcow
Name of the Vulnerable Software and Affected Versions: Mailcow versions through 2024-11b Description: The issue is related to a session fixation vulnerability in the web panel. It allows remote attackers to set a session identifier when HSTS is disabled on a victim's browser. After a user logs in...
Chatwoot 授权问题漏洞
Chatwoot is a Chatwoot open source application. Customer Engagement Suite, an open source alternative to Intercom, Zendesk, Salesforce Service Cloud, and more. An authorization issue vulnerability exists in versions prior to Chatwoot 2.4.0 that stems from the presence of a session fixation...
PT-2024-22883 · Cskefu · Cskefu
Name of the Vulnerable Software and Affected Versions: cskefu version 7 Description: The issue is related to Insufficient Session Expiration, which allows attackers to exploit old sessions for malicious activity. Recommendations: For cskefu version 7, consider implementing proper session expirati...
phpMyFAQ Access Control Error Vulnerability
phpMyFAQ is a multi-language, fully database-driven FAQ system. An access control error vulnerability exists in versions prior to phpMyFAQ 3.2.2, which stems from the presence of insufficient session expiration. An attacker can exploit this vulnerability to still use old sessions...
Kirby 代码问题漏洞
Kirby is a file-based content management system CMS. A code issue vulnerability exists in Kirby versions 3.5.8.2 and earlier, 3.6.0 through 3.6.6.2, 3.7.0 through 3.7.5.1, 3.8.0 through 3.8.4, and 3.9.0 through 3.9.5, which arises from a change in a user's password by a user or site administrator...
CVE-2023-37919 Cal.com not expiring old sessions after enabling 2FA
Cal.com is open-source scheduling software. A vulnerability allows active sessions associated with an account to remain active even after enabling 2FA. When activating 2FA on a Cal.com account that is logged in on two or more devices, the account stays logged in on the other devices stays logged ...
Cal.com 代码问题漏洞
Cal.com is an open source scheduling software from Cal.com Open Source. A code issue vulnerability exists in Cal.com that stems from old sessions not expiring when 2FA is enabled...
Session Fixation
org.apache.inlong is vulnerable to Session Fixation. The vulnerability exists due to insufficient session expiration, which allows an attacker to use old sessions even after the user has been deleted or the password has been changed...
CVE-2022-1155
Old sessions are not blocked by the login enable function. in GitHub repository snipe/snipe-it prior to 5.3.10...
CVE-2022-1155 Old sessions are not blocked by the login enable function. in snipe/snipe-it
Old sessions are not blocked by the login enable function. in GitHub repository snipe/snipe-it prior to 5.3.10...
Old sessions are not blocked by the login enable function.
Description If you disable logic function of an user, that user can still login by using their old session. Proof of Concept Step 1: login to dashboard by a normal account. Step 2: use a diffrent browser to login as admin Step 3: make the normal account in step 1 unable to login. Step 4: return t...
CVE-2020-23140
Microweber 1.1.18 is affected by insufficient session expiration. When changing passwords, both sessions for when a user changes email and old sessions in any other browser or device, the session does not expire and remains active...
CVE-2020-6363
SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, exposes several web applications that maintain sessions with a user. These sessions are established after the user has authenticated with username/passphrase credentials. The user can change their own passphrase, but this does not invalidate...
CVE-2017-1000136
Mahara 1.8 before 1.8.6 and 1.9 before 1.9.4 and 1.10 before 1.10.1 and 15.04 before 15.04.0 are vulnerable to old sessions not being invalidated after a password change...