Total
370 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-0138 | 2025-05-16 | N/A | N/A | ||
| Web sessions in the web interface of Palo Alto Networks Prisma® Cloud Compute Edition do not expire when users are deleted, which makes Prisma Cloud Compute Edition susceptible to unauthorized access. Compute in Prisma Cloud Enterprise Edition is not affected by this issue. | |||||
| CVE-2025-40566 | 2025-05-13 | N/A | 8.8 HIGH | ||
| A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions < V4.1 Update 3), SIMATIC PCS neo V5.0 (All versions < V5.0 Update 1). Affected products do not correctly invalidate user sessions upon user logout. This could allow a remote unauthenticated attacker, who has obtained the session token by other means, to re-use a legitimate user's session even after logout. | |||||
| CVE-2021-33322 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-05-13 | 5.0 MEDIUM | 7.5 HIGH |
| In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user’s password via the old password reset token. | |||||
| CVE-2022-41542 | 1 Devhubapp | 1 Devhub | 2025-05-13 | N/A | 5.4 MEDIUM |
| devhub 0.102.0 was discovered to contain a broken session control. | |||||
| CVE-2025-46336 | 2025-05-12 | N/A | 4.2 MEDIUM | ||
| Rack::Session is a session management implementation for Rack. In versions starting from 2.0.0 to before 2.1.1, when using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout. This issue has been patched in version 2.1.1. | |||||
| CVE-2025-4528 | 2025-05-12 | 4.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability was found in Dígitro NGC Explorer up to 3.44.15 and classified as problematic. This issue affects some unknown processing. The manipulation leads to session expiration. The attack may be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-32441 | 2025-05-08 | N/A | 4.2 MEDIUM | ||
| Rack is a modular Ruby web server interface. Prior to version 2.2.14, when using the `Rack::Session::Pool` middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that session. Rack session middleware prepares the session at the beginning of request, then saves is back to the store with possible changes applied by host rack application. This way the session becomes to be a subject of race conditions in general sense over concurrent rack requests. When using the `Rack::Session::Pool` middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout. Version 2.2.14 contains a patch for the issue. Some other mitigations are available. Either ensure the application invalidates sessions atomically by marking them as logged out e.g., using a `logged_out` flag, instead of deleting them, and check this flag on every request to prevent reuse; or implement a custom session store that tracks session invalidation timestamps and refuses to accept session data if the session was invalidated after the request began. | |||||
| CVE-2022-2782 | 1 Octopus | 1 Octopus Server | 2025-05-07 | N/A | 9.1 CRITICAL |
| In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters. | |||||
| CVE-2024-52553 | 1 Jenkins | 1 Openid Connect Authentication | 2025-05-07 | N/A | 8.8 HIGH |
| Jenkins OpenId Connect Authentication Plugin 4.418.vccc7061f5b_6d and earlier does not invalidate the previous session on login. | |||||
| CVE-2025-46815 | 2025-05-07 | N/A | 8.0 HIGH | ||
| The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a predefined URI. These id and token can then be used to authenticate the user or their session. However, prior to versions 3.0.0, 2.71.9, and 2.70.10, it was possible to exploit this feature by repeatedly using intents. This allowed an attacker with access to the application’s URI to retrieve the id and token, enabling them to authenticate on behalf of the user. It's important to note that the use of additional factors (MFA) prevents a complete authentication process and, consequently, access to the ZITADEL API. Versions 3.0.0, 2.71.9, and 2.70.10 contain a fix for the issue. No known workarounds other than upgrading are available. | |||||
| CVE-2022-40230 | 1 Ibm | 1 Mq Appliance | 2025-05-02 | N/A | 6.5 MEDIUM |
| "IBM MQ Appliance 9.2 CD, 9.2 LTS, 9.3 CD, and LTS 9.3 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235532." | |||||
| CVE-2025-46344 | 2025-05-02 | N/A | N/A | ||
| The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions starting from 4.0.1 and prior to 4.5.1, do not invoke `.setExpirationTime` when generating a JWE token for the session. As a result, the JWE does not contain an internal expiration claim. While the session cookie may expire or be cleared, the JWE remains valid. This issue has been patched in version 4.5.1. | |||||
| CVE-2022-36179 | 1 Fusiondirectory | 1 Fusiondirectory | 2025-04-29 | N/A | 9.8 CRITICAL |
| Fusiondirectory 1.3 suffers from Improper Session Handling. | |||||
| CVE-2021-47663 | 2025-04-29 | N/A | 8.1 HIGH | ||
| Due to improper JSON Web Tokens implementation an unauthenticated remote attacker can guess a valid session ID and therefore impersonate a user to gain full access. | |||||
| CVE-2024-22351 | 2025-04-29 | N/A | 6.3 MEDIUM | ||
| IBM InfoSphere Information 11.7 Server does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. | |||||
| CVE-2025-2185 | 2025-04-29 | N/A | 8.0 HIGH | ||
| ALBEDO Telecom Net.Time - PTP/NTP clock (Serial No. NBC0081P) software release 1.4.4 is vulnerable to an insufficient session expiration vulnerability, which could permit an attacker to transmit passwords over unencrypted connections, resulting in the product becoming vulnerable to interception. | |||||
| CVE-2023-45600 | 1 Ailux | 1 Imx6 | 2025-04-23 | N/A | 5.6 MEDIUM |
| A CWE-613 “Insufficient Session Expiration” vulnerability in the web application, due to the session cookie “sessionid” lasting two weeks, facilitates session hijacking attacks against victims. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2. | |||||
| CVE-2024-35049 | 1 Surveyking | 1 Surveyking | 2025-04-23 | N/A | 9.1 CRITICAL |
| SurveyKing v1.3.1 was discovered to keep users' sessions active after logout. Related to an incomplete fix for CVE-2022-25590. | |||||
| CVE-2024-35050 | 1 Surveyking | 1 Surveyking | 2025-04-23 | N/A | 8.8 HIGH |
| An issue in SurveyKing v1.3.1 allows attackers to escalate privileges via re-using the session ID of a user that was deleted by an Admin. | |||||
| CVE-2025-42602 | 2025-04-23 | N/A | N/A | ||
| This vulnerability exists in Meon KYC solutions due to improper handling of access and refresh tokens in certain API endpoints of authentication process. A remote attacker could exploit this vulnerability by intercepting and manipulating the responses through API request body leading to unauthorized access of other user accounts. | |||||