GHSA-WMJR-V86C-M9JJ Better Auth's multi-session sign-out hook allows forged cookies to revoke arbitrary sessions

Summary A vulnerability was identified in the multi-session plugin for Better Auth, specifically in the /sign-out after-hook. The hook trusts raw multi-session cookies and forwards the extracted values directly to internalAdapter.deleteSessions without verifying the cookie signature. Because cook...

CVE-2024-52947

A cross-site scripting XSS vulnerability in LemonLDAP::NG before 2.20.1 allows remote attackers to inject arbitrary web script or HTML via the url parameter of the upgrade session confirmation page upgradeSession / forceUpgrade if the "Upgrade session" plugin has been enabled by an admin...

DEBIAN-CVE-2024-52947

A cross-site scripting XSS vulnerability in LemonLDAP::NG before 2.20.1 allows remote attackers to inject arbitrary web script or HTML via the url parameter of the upgrade session confirmation page upgradeSession / forceUpgrade if the "Upgrade session" plugin has been enabled by an admin...

UBUNTU-CVE-2024-52947

A cross-site scripting XSS vulnerability in LemonLDAP::NG before 2.20.1 allows remote attackers to inject arbitrary web script or HTML via the url parameter of the upgrade session confirmation page upgradeSession / forceUpgrade if the "Upgrade session" plugin has been enabled by an admin...

CVE-2024-52947

CVE-2024-52947 (LemonLDAP::NG) is a cross-site scripting (XSS) vulnerability in LemonLDAP::NG before 2.20.1. An attacker can inject arbitrary script/HTML via the url parameter on the upgrade session confirmation page (upgradeSession/forceUpgrade) when the “Upgrade session” plugin is enabled by an...

PT-2024-35497 · Unknown · Lemonldap::Ng

Name of the Vulnerable Software and Affected Versions: LemonLDAP::NG versions prior to 2.20.1 Description: A cross-site scripting XSS issue allows remote attackers to inject arbitrary web script or HTML via the url parameter of the upgrade session confirmation page, specifically the "upgradeSessi...

CVE-2024-35220

@fastify/session is a session plugin for fastify. Requires the @fastify/cookie plugin. When restoring the cookie from the session store, the expires field is overriden if the maxAge field was set. This means a cookie is never correctly detected as expired and thus expired sessions are not...

CVE-2024-35220 @fastify/session reuses destroyed session cookie

@fastify/session is a session plugin for fastify. Requires the @fastify/cookie plugin. When restoring the cookie from the session store, the expires field is overriden if the maxAge field was set. This means a cookie is never correctly detected as expired and thus expired sessions are not...

CVE-2024-35220

Summary: CVE-2024-35220 affects the @fastify/session plugin for Fastify. When restoring a cookie from the session store, the expires field is overridden if maxAge is set, causing expired cookies/sessions to not be destroyed. The issue is fixed in version 10.8.0; affected users should upgrade to 1...

CVE-2024-35220 @fastify/session reuses destroyed session cookie

@fastify/session is a session plugin for fastify. Requires the @fastify/cookie plugin. When restoring the cookie from the session store, the expires field is overriden if the maxAge field was set. This means a cookie is never correctly detected as expired and thus expired sessions are not...

Catalyst 跨站脚本漏洞

Catalyst is an elegant MVC web application framework. A cross-site scripting vulnerability exists in Catalyst Catalyst-Plugin-Session versions prior to 0.40, which stems from incorrect manipulation of the parameter sid leading to cross-site scripting...