Total
388 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-6145 | 1 F5 | 10 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 7 more | 2025-04-20 | 7.5 HIGH | 7.3 HIGH |
| iControl REST in F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, PEM, and WebSafe 12.0.0 through 12.1.2 and 13.0.0 includes a service to convert authorization BIGIPAuthCookie cookies to X-F5-Auth-Token tokens. This service does not properly re-validate cookies when making that conversion, allowing once-valid but now expired cookies to be converted to valid tokens. | |||||
| CVE-2017-1000135 | 1 Mahara | 1 Mahara | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable as logged-in users can stay logged in after the institution they belong to is suspended. | |||||
| CVE-2015-5171 | 2 Cloudfoundry, Pivotal Software | 3 Cf-release, Cloud Foundry Elastic Runtime, Cloud Foundry Uaa | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| The password change functionality in Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire existing sessions. | |||||
| CVE-2017-1000136 | 1 Mahara | 1 Mahara | 2025-04-20 | 4.3 MEDIUM | 6.5 MEDIUM |
| Mahara 1.8 before 1.8.6 and 1.9 before 1.9.4 and 1.10 before 1.10.1 and 15.04 before 15.04.0 are vulnerable to old sessions not being invalidated after a password change. | |||||
| CVE-2017-12867 | 1 Simplesamlphp | 1 Simplesamlphp | 2025-04-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| The SimpleSAML_Auth_TimeLimitedToken class in SimpleSAMLphp 1.14.14 and earlier allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset. | |||||
| CVE-2017-1000131 | 1 Mahara | 1 Mahara | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before 16.04.2 are vulnerable to users staying logged in to their Mahara account even when they have been logged out of Moodle (when using MNet) as Mahara did not properly implement one of the MNet SSO API functions. | |||||
| CVE-2017-12159 | 2 Keycloak, Redhat | 3 Keycloak, Enterprise Linux Server, Single Sign On | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks. | |||||
| CVE-2017-3215 | 1 Milwaukee | 1 One-key | 2025-04-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Milwaukee ONE-KEY Android mobile application uses bearer tokens with an expiration of one year. This bearer token, in combination with a user_id can be used to perform user actions. | |||||
| CVE-2016-8712 | 1 Moxa | 2 Awk-3131a, Awk-3131a Firmware | 2025-04-20 | 4.3 MEDIUM | 8.1 HIGH |
| An exploitable nonce reuse vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless AP running firmware 1.1. The device uses one nonce for all session authentication requests and only changes the nonce if the web application has been idle for 300 seconds. | |||||
| CVE-2016-5069 | 1 Sierrawireless | 2 Aleos Firmware, Gx 440 | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 use guessable session tokens, which are in the URL. | |||||
| CVE-2025-30516 | 2025-04-15 | N/A | 2.0 LOW | ||
| Mattermost Mobile Apps versions <=2.25.0 fail to terminate sessions during logout under certain conditions (e.g. poor connectivity), allowing unauthorized users on shared devices to access sensitive notification content via continued mobile notifications | |||||
| CVE-2014-3616 | 2 Debian, F5 | 2 Debian Linux, Nginx | 2025-04-12 | 4.3 MEDIUM | N/A |
| nginx 0.5.6 through 1.7.4, when using the same shared ssl_session_cache or ssl_session_ticket_key for multiple servers, can reuse a cached SSL session for an unrelated context, which allows remote attackers with certain privileges to conduct "virtual host confusion" attacks. | |||||
| CVE-2023-49091 | 1 Cosmos-cloud | 1 Cosmos Server | 2025-04-11 | N/A | 8.8 HIGH |
| Cosmos provides users the ability self-host a home server by acting as a secure gateway to your application, as well as a server manager. Cosmos-server is vulnerable due to to the authorization header used for user login remaining valid and not expiring after log out. This vulnerability allows an attacker to use the token to gain unauthorized access to the application/system even after the user has logged out. This issue has been patched in version 0.13.1. | |||||
| CVE-2022-43844 | 2 Ibm, Redhat | 2 Robotic Process Automation For Cloud Pak, Openshift | 2025-04-10 | N/A | 8.8 HIGH |
| IBM Robotic Process Automation for Cloud Pak 20.12 through 21.0.3 is vulnerable to broken access control. A user is not correctly redirected to the platform log out screen when logging out of IBM RPA for Cloud Pak. IBM X-Force ID: 239081. | |||||
| CVE-2025-1968 | 2025-04-09 | N/A | 7.7 HIGH | ||
| Insufficient Session Expiration vulnerability in Progress Software Corporation Sitefinity under some specific and uncommon circumstances allows reusing Session IDs (Session Replay Attacks).This issue affects Sitefinity: from 14.0 through 14.3, from 14.4 before 14.4.8145, from 15.0 before 15.0.8231, from 15.1 before 15.1.8332, from 15.2 before 15.2.8429. | |||||
| CVE-2024-22543 | 1 Linksys | 2 E1700, E1700 Firmware | 2025-04-08 | N/A | 6.1 MEDIUM |
| An issue was discovered in Linksys Router E1700 1.0.04 (build 3), allows authenticated attackers to escalate privileges via a crafted GET request to the /goform/* URI or via the ExportSettings function. | |||||
| CVE-2023-24426 | 1 Jenkins | 1 Azure Ad | 2025-04-02 | N/A | 8.8 HIGH |
| Jenkins Azure AD Plugin 303.va_91ef20ee49f and earlier does not invalidate the previous session on login. | |||||
| CVE-2024-1900 | 1 Devolutions | 1 Devolutions Server | 2025-03-28 | N/A | 5.5 MEDIUM |
| Improper session management in the identity provider authentication flow in Devolutions Server 2023.3.14.0 and earlier allows an authenticated user via an identity provider to stay authenticated after his user is disabled or deleted in the identity provider such as Okta or Microsoft O365. The user will stay authenticated until the Devolutions Server token expiration. | |||||
| CVE-2025-2596 | 2025-03-27 | N/A | N/A | ||
| Session logout could be overwritten in Checkmk GmbH's Checkmk versions <2.3.0p30, <2.2.0p41, and 2.1.0p49 (EOL) | |||||
| CVE-2024-34092 | 1 Archerirm | 1 Archer | 2025-03-25 | N/A | 8.8 HIGH |
| An issue was discovered in Archer Platform 6 before 2024.04. Authentication was mishandled because lock did not terminate an existing session. 6.14 P3 (6.14.0.3) is also a fixed release. | |||||