200 matches found
EUVD-2024-37263
Malicious code in bioql PyPI...
EUVD-2023-49950
Malicious code in bioql PyPI...
EUVD-2022-4624
Malicious code in bioql PyPI...
EUVD-2022-46527
Malicious code in bioql PyPI...
GHSA-RPW8-82V9-3Q87 Fides' Admin UI User Password Change Does Not Invalidate Current Session
Summary Admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained session tokens through other attack vectors such as XSS can maintain access even after password reset. This issue is not directly...
CVE-2025-55162
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In versions below 1.32.10 and 1.33.0 through 1.33.6, 1.34.0 through 1.34.4 and 1.35.0, insufficient Session Expiration in the Envoy OAuth2 filter leads to failed logout operations. Whe...
Envoy 代码问题漏洞
Envoy is an Enphase open source gateway program for connecting smart home devices. A code issue vulnerability exists in Envoy, which stems from the OAuth2 filter omitting the Secure attribute when deleting session cookies with the Secure-/Host- prefix, resulting in the browser rejecting the delet...
Linux Distros Unpatched Vulnerability : CVE-2019-2386
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated...
Linux Distros Unpatched Vulnerability : CVE-2020-1776
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case...
Shopify: Session Persistence Designed to Keep Users Logged In Across Multiple Devices (Intended Behaviour)
Summary: Hi, After logging out of the application, the session associated with the user is not invalidated server-side. An attacker with access to the session cookie prior to logout can reuse the same cookie to re-authenticate, effectively bypassing the logout process and regaining access to the...
CVE-2024-32006
A vulnerability has been identified in SINEMA Remote Connect Client All versions V3.2 SP2. The affected application does not expire the user session on reboot without logout. This could allow an attacker to bypass Multi-Factor Authentication...
CVE-2023-45187
IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 268749...
CVE-2023-45659
Engelsystem is a shift planning system for chaos events. If a users' password is compromised and an attacker gained access to a users' account, i.e., logged in and obtained a session, an attackers' session is not terminated if the users' account password is reset. This vulnerability has been fixe...
CVE-2022-43529
A vulnerability in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an remote attacker to persist a session after a password reset or similar session clearing event. Successful exploitation of this vulnerability could allow an authenticated attacker to...
CVE-2022-40228
IBM DataPower Gateway 10.0.3.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.9, 2018.4.1.0 through 2018.4.1.22, and 10.5.0.0 through 10.5.0.2 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235527...
CVE-2021-25979
Apostrophe CMS versions prior to 3.3.1 did not invalidate existing login sessions when disabling a user account or changing the password, creating a situation in which a device compromised by a third party could not be locked out by those means. As a mitigation for older releases the user account...
CVE-2021-38823
The IceHrm 30.0.0 OS website was found vulnerable to Session Management Issue. A signout from an admin account does not invalidate an admin session that is opened in a different browser...
Exploit for Deserialization of Untrusted Data in Apache Tomcat
CVE-2025-24813: Apache 1. Explanation Tomcat is vulnerabl...
Exploit for Deserialization of Untrusted Data in Apache Tomcat
利用条件 + DefaultServlet 写入功能启用:需在 web.xml 中配置 readonly=false...
One PUT Request to Own Tomcat: CVE-2025-24813 RCE is in the Wild
A devastating new remote code execution RCE vulnerability, CVE-2025-24813, is now actively exploited in the wild. Attackers need just one PUT API request to take over vulnerable Apache Tomcat servers. The exploit, originally published by a Chinese forum user iSee857, is already available online:...