133 matches found
Cross-Site Scripting (XSS)
Trix is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper handling of the link field, allowing attackers to trick users into pasting a malicious javascript: URL, which could execute arbitrary JavaScript code within the user's session...
PT-2025-32144
Name of the Vulnerable Software and Affected Versions CIRCL affected versions not specified Description A flaw exists in CIRCL’s implementation of the FourQ elliptic curve. This issue allows an attacker to compromise session security through low-order point injection and incorrect point validatio...
PYSEC-2024-202
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.2 contain a vulnerability that allows an attacker that has gained temporary control over an authenticated victim's OctoPrint browser session to retrieve/recreate/delete the user...
CVE-2024-5148
A flaw was found in the gnome-remote-desktop package. The gnome-remote-desktop system daemon performs inadequate validation of session agents using D-Bus methods related to transitioning a client connection from the login screen to the user session. As a result, the system RDP TLS certificate and...
CVE-2024-35049
SurveyKing v1.3.1 was discovered to keep users' sessions active after logout. Related to an incomplete fix for CVE-2022-25590...
CVE-2024-35049
SurveyKing v1.3.1 was discovered to keep users' sessions active after logout. Related to an incomplete fix for CVE-2022-25590...
DEBIAN-CVE-2015-8314
The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized persistent application access...
CVE-2023-41900 Jetty's OpenId Revoked authentication allows one request
Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty OpenIdAuthenticator uses the optional nested LoginService, and that LoginService decides to revoke an already authenticated user, then the...
CVE-2023-3724
If a TLS 1.3 client gets neither a PSK pre shared key extension nor a KSE key share extension when connecting to a malicious server, a default predictable buffer gets used for the IKM Input Keying Material value when generating the session master secret. Using a potentially known IKM value when...
CVE-2023-3724
If a TLS 1.3 client gets neither a PSK pre shared key extension nor a KSE key share extension when connecting to a malicious server, a default predictable buffer gets used for the IKM Input Keying Material value when generating the session master secret. Using a potentially known IKM value when...
SUSE CVE-2010-0161
The nsAuthSSPI::Unwrap function in extensions/auth/nsAuthSSPI.cpp in Mozilla Thunderbird before 2.0.0.24 and SeaMonkey before 1.1.19 on Windows Vista, Windows Server 2008 R2, and Windows 7 allows remote SMTP, IMAP, and POP servers to cause a denial of service heap memory corruption and applicatio...
Apache::Session::LDAP 信任管理问题漏洞
Apache::Session::LDAP is a tool for storing Apache sessions in LDAP. A security vulnerability exists in Apache::Session::LDAP versions prior to 0.5 that stems from not checking the validity of an X.509 certificate...
PYSEC-2022-287
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/rdiffweb prior to 2.4.6...
CVE-2022-22496
While a user account for the IBM Spectrum Protect Server 8.1.0.000 through 8.1.14 is being established, it may be configured to use SESSIONSECURITY=TRANSITIONAL. While in this mode, it may be susceptible to an offline dictionary attack. IBM X-Force ID: 226942...
IBM Spectrum Protect Server 安全特征问题漏洞
IBM Spectrum Protect Server is a spectrum protection system from IBM USA, Inc. providing comprehensive data resiliency for physical file servers, virtual environments, and a wide range of applications.IBM Spectrum Protect Server versions 8.1.0.000 through 8.1.14 have a security feature issue...
Security Bulletin: IBM Spectrum Protect Server vulnerable to offline dictionary and brute force attacks (CVE-2022-22496, CVE-2022-22487)
Summary The IBM Spectrum Protect Server is vulnerable to an offline dictionary attack when using SESSIONSECURITY=TRANSITIONAL. The IBM Spectrum Protect Storage agent is vulnerable to a brute force attack by allowing unlimited attempts to login to the storage agent without locking the administrati...
CVE-2022-22496
While a user account for the IBM Spectrum Protect Server 8.1.0.000 through 8.1.14 is being established, it may be configured to use SESSIONSECURITY=TRANSITIONAL. While in this mode, it may be susceptible to an offline dictionary attack. IBM X-Force ID: 226942...
Jira does not invalidate session after a password change
When a user changes their username via the UI the session cookie is not invalidated. For security purposes, all sessions should be invalidated and require the user to sign back in with the new password...
Mageia: Security Advisory (MGASA-2021-0383)
The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
MGASA-2021-0383 Updated perl-Mojolicious package fixes security vulnerability
This update backports some significant security fixes relating to session security from the upstream 9.19 release. See upstream references for more informations...