64 matches found
CVE-2025-13324
Mattermost versions 10.11.x = 10.11.5, 11.0.x = 11.0.4, 10.12.x = 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy version 1 protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to...
VulnCheck KEV: CVE-2023-41346
ASUS RT-AX55’s authentication-related function has a vulnerability of insufficient filtering of special characters within its token-refresh module. An authenticated remote attacker can exploit this vulnerability to perform a Command Injection attack to execute arbitrary commands, disrupt the syst...
CVE-2025-62781 PILOS is missing session regeneration after password change
PILOS Platform for Interactive Live-Online Seminars is a frontend for BigBlueButton. Prior to 4.8.0, users with a local account can change their password while logged in. When doing so, all other active sessions are terminated, except for the currently active one. However, the current session’s...
Insufficient Session Expiration
Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Insufficient Session Expiration due to the offline session of a user not being invalidated when the...
CVE-2025-12110 Keycloak: org.keycloak:keycloak-services: user can refresh offline session even after client's offline_access scope was removed
A flaw was found in Keycloak. An offline session continues to be valid when the offlineaccess scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and...
EUVD-2020-0074
Malware in sbrugna...
EUVD-2013-3205
Malware in sbrugna...
EUVD-2024-3212
Malicious code in bioql PyPI...
EUVD-2025-28977
Malicious code in bioql PyPI...
EUVD-2023-45849
Malicious code in bioql PyPI...
CVE-2025-26499
Under heavy system utilization a random race condition can occur during authentication or token refresh operation. This flaw allows one user to be granted a token intended for another user, resulting in impersonation until the session is ended. This flaw cannot be intentionally exploited due to t...
CVE-2025-26499
The CVE-2025-26499 entry describes a race-condition vulnerability: under heavy system utilization a concurrent action by two users during authentication or token refresh can grant a token for one user to another, enabling temporary impersonation until the session ends. Impact is exposure to anoth...
CVE-2025-26499
Under heavy system utilization a random race condition can occur during authentication or token refresh operation. This flaw allows one user to be granted a token intended for another user, resulting in impersonation until the session is ended. This flaw cannot be intentionally exploited due to t...
CVE-2025-26499
Under heavy system utilization a random race condition can occur during authentication or token refresh operation. This flaw allows one user to be granted a token intended for another user, resulting in impersonation until the session is ended. This flaw cannot be intentionally exploited due to t...
Wind River Studio Developer 安全漏洞
Wind River Studio Developer is a tool with the ability to build, test, and debug embedded system applications from Wind River Studio Developer, USA. A security vulnerability exists in Wind River Studio Developer that originates from a random contention condition that can occur during an...
PT-2025-37193
Name of the Vulnerable Software and Affected Versions: affected versions not specified Description: A race condition can occur during authentication or token refresh operations under heavy system utilization. This allows a user to be granted a token intended for another user, potentially leading ...
CVE-2020-10594
An issue was discovered in drf-jwt 1.15.x before 1.15.1. It allows attackers with access to a notionally invalidated token to obtain a new, working token via the refresh endpoint, because the blacklist protection mechanism is incompatible with the token-refresh feature. NOTE: drf-jwt is a fork of...
fence-agents security update
4.10.0-76.6 - fenceibmvpc: refresh bearer-token if token data is corrupt, and avoid edge-case of writing empty token file Resolves: RHEL-83487 4.10.0-76.5 - bundled jinja2: fix CVE-2025-27516 Resolves: RHEL-82712...
AsyncHttpClient (AHC) library's `CookieStore` replaces explicitly defined `Cookie`s
Summary When making any HTTP request, the automatically enabled and self-managed CookieStore aka cookie jar will silently replace explicitly defined Cookies with any that have the same name from the cookie jar. For services that operate with multiple users, this can result in one user's Cookie...
Duende.AccessTokenManagement 安全漏洞
Duende.AccessTokenManagement is an open source library from Duende. It is used to manage OAuth and OpenId Connect access tokens. A security vulnerability existed prior to Duende.AccessTokenManagement version 3.0.1, which stemmed from the possibility that an HTTP client created by...