Lucene search
K

64 matches found

OSV
OSV
added 2025/12/17 7:16 p.m.3 views

CVE-2025-13324

Mattermost versions 10.11.x = 10.11.5, 11.0.x = 11.0.4, 10.12.x = 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy version 1 protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to...

3.7CVSS6.9AI score
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2025/11/19 12:0 a.m.7 views

VulnCheck KEV: CVE-2023-41346

ASUS RT-AX55’s authentication-related function has a vulnerability of insufficient filtering of special characters within its token-refresh module. An authenticated remote attacker can exploit this vulnerability to perform a Command Injection attack to execute arbitrary commands, disrupt the syst...

8.8CVSS6.1AI score0.01202EPSS
In wildExploits0References2
Vulnrichment
Vulnrichment
added 2025/10/27 9:22 p.m.3 views

CVE-2025-62781 PILOS is missing session regeneration after password change

PILOS Platform for Interactive Live-Online Seminars is a frontend for BigBlueButton. Prior to 4.8.0, users with a local account can change their password while logged in. When doing so, all other active sessions are terminated, except for the currently active one. However, the current session’s...

5CVSS6.3AI score0.00159EPSS
Exploits0References1
Snyk
Snyk
added 2025/10/23 3:30 p.m.1 views

Insufficient Session Expiration

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Insufficient Session Expiration due to the offline session of a user not being invalidated when the...

5.4CVSS6.7AI score0.00272EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2025/10/23 2:19 p.m.2 views

CVE-2025-12110 Keycloak: org.keycloak:keycloak-services: user can refresh offline session even after client's offline_access scope was removed

A flaw was found in Keycloak. An offline session continues to be valid when the offlineaccess scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and...

5.4CVSS6.1AI score0.00272EPSS
Exploits0References7
EUVD
EUVD
added 2025/10/07 12:30 a.m.4 views

EUVD-2020-0074

Malware in sbrugna...

9.1CVSS9AI score0.01257EPSS
Exploits0References8
EUVD
EUVD
added 2025/10/07 12:30 a.m.5 views

EUVD-2013-3205

Malware in sbrugna...

10CVSS6.4AI score0.01635EPSS
Exploits0References5
EUVD
EUVD
added 2025/10/03 8:7 p.m.7 views

EUVD-2024-3212

Malicious code in bioql PyPI...

5.4CVSS6.4AI score0.00221EPSS
Exploits0References5
EUVD
EUVD
added 2025/10/03 8:7 p.m.4 views

EUVD-2025-28977

Malicious code in bioql PyPI...

6CVSS6.6AI score0.00127EPSS
Exploits0References3
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2023-45849

Malicious code in bioql PyPI...

8.8CVSS8.4AI score0.01202EPSS
Exploits0References1
NVD
NVD
added 2025/09/11 5:15 p.m.6 views

CVE-2025-26499

Under heavy system utilization a random race condition can occur during authentication or token refresh operation. This flaw allows one user to be granted a token intended for another user, resulting in impersonation until the session is ended. This flaw cannot be intentionally exploited due to t...

6CVSS0.00127EPSS
Exploits0References2
CVE
CVE
added 2025/09/11 4:46 p.m.16 views

CVE-2025-26499

The CVE-2025-26499 entry describes a race-condition vulnerability: under heavy system utilization a concurrent action by two users during authentication or token refresh can grant a token for one user to another, enabling temporary impersonation until the session ends. Impact is exposure to anoth...

6CVSS6.5AI score0.00127EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2025/09/11 4:46 p.m.4 views

CVE-2025-26499

Under heavy system utilization a random race condition can occur during authentication or token refresh operation. This flaw allows one user to be granted a token intended for another user, resulting in impersonation until the session is ended. This flaw cannot be intentionally exploited due to t...

6CVSS6.5AI score0.00127EPSS
Exploits0References2
Cvelist
Cvelist
added 2025/09/11 4:46 p.m.8 views

CVE-2025-26499

Under heavy system utilization a random race condition can occur during authentication or token refresh operation. This flaw allows one user to be granted a token intended for another user, resulting in impersonation until the session is ended. This flaw cannot be intentionally exploited due to t...

6CVSS0.00127EPSS
Exploits0References2
CNNVD
CNNVD
added 2025/09/11 12:0 a.m.5 views

Wind River Studio Developer 安全漏洞

Wind River Studio Developer is a tool with the ability to build, test, and debug embedded system applications from Wind River Studio Developer, USA. A security vulnerability exists in Wind River Studio Developer that originates from a random contention condition that can occur during an...

6CVSS6.8AI score0.00127EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2025/09/11 12:0 a.m.5 views

PT-2025-37193

Name of the Vulnerable Software and Affected Versions: affected versions not specified Description: A race condition can occur during authentication or token refresh operations under heavy system utilization. This allows a user to be granted a token intended for another user, potentially leading ...

6CVSS6.2AI score0.00127EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2025/05/22 4:6 p.m.19 views

CVE-2020-10594

An issue was discovered in drf-jwt 1.15.x before 1.15.1. It allows attackers with access to a notionally invalidated token to obtain a new, working token via the refresh endpoint, because the blacklist protection mechanism is incompatible with the token-refresh feature. NOTE: drf-jwt is a fork of...

9.1CVSS6.6AI score0.01257EPSS
Exploits0References1
Oracle linux
Oracle linux
added 2025/03/25 12:0 a.m.29 views

fence-agents security update

4.10.0-76.6 - fenceibmvpc: refresh bearer-token if token data is corrupt, and avoid edge-case of writing empty token file Resolves: RHEL-83487 4.10.0-76.5 - bundled jinja2: fix CVE-2025-27516 Resolves: RHEL-82712...

5.4CVSS7.3AI score0.00465EPSS
Exploits0
Github Security Blog
Github Security Blog
added 2024/12/02 8:4 p.m.31 views

AsyncHttpClient (AHC) library's `CookieStore` replaces explicitly defined `Cookie`s

Summary When making any HTTP request, the automatically enabled and self-managed CookieStore aka cookie jar will silently replace explicitly defined Cookies with any that have the same name from the cookie jar. For services that operate with multiple users, this can result in one user's Cookie...

9.2CVSS6.2AI score0.00587EPSS
Exploits0References7Affected Software1
CNNVD
CNNVD
added 2024/11/08 12:0 a.m.3 views

Duende.AccessTokenManagement 安全漏洞

Duende.AccessTokenManagement is an open source library from Duende. It is used to manage OAuth and OpenId Connect access tokens. A security vulnerability existed prior to Duende.AccessTokenManagement version 3.0.1, which stemmed from the possibility that an HTTP client created by...

5.4CVSS6.5AI score0.00221EPSS
Exploits0References1
Rows per page
Query Builder