Total
366 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-47663 | 2025-04-24 | N/A | 8.1 HIGH | ||
| Due to improper JSON Web Tokens implementation an unauthenticated remote attacker can guess a valid session ID and therefore impersonate a user to gain full access. | |||||
| CVE-2024-22351 | 2025-04-23 | N/A | 6.3 MEDIUM | ||
| IBM InfoSphere Information 11.7 Server does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. | |||||
| CVE-2023-45600 | 1 Ailux | 1 Imx6 | 2025-04-23 | N/A | 5.6 MEDIUM |
| A CWE-613 “Insufficient Session Expiration” vulnerability in the web application, due to the session cookie “sessionid” lasting two weeks, facilitates session hijacking attacks against victims. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2. | |||||
| CVE-2024-35048 | 1 Surveyking | 1 Surveyking | 2025-04-23 | N/A | 4.3 MEDIUM |
| An issue in SurveyKing v1.3.1 allows attackers to execute a session replay attack after a user changes their password. | |||||
| CVE-2024-35049 | 1 Surveyking | 1 Surveyking | 2025-04-23 | N/A | 9.1 CRITICAL |
| SurveyKing v1.3.1 was discovered to keep users' sessions active after logout. Related to an incomplete fix for CVE-2022-25590. | |||||
| CVE-2024-35050 | 1 Surveyking | 1 Surveyking | 2025-04-23 | N/A | 8.8 HIGH |
| An issue in SurveyKing v1.3.1 allows attackers to escalate privileges via re-using the session ID of a user that was deleted by an Admin. | |||||
| CVE-2025-42602 | 2025-04-23 | N/A | N/A | ||
| This vulnerability exists in Meon KYC solutions due to improper handling of access and refresh tokens in certain API endpoints of authentication process. A remote attacker could exploit this vulnerability by intercepting and manipulating the responses through API request body leading to unauthorized access of other user accounts. | |||||
| CVE-2025-28059 | 2025-04-22 | N/A | 7.5 HIGH | ||
| An access control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows deleted users to retain access to system resources due to improper session invalidation and stale token handling. When an administrator deletes a user account, the backend fails to terminate active sessions and revoke associated API tokens, enabling unauthorized access to restricted functions. | |||||
| CVE-2022-47406 | 1 Change Password For Frontend Users Project | 1 Change Password For Frontend Users | 2025-04-21 | N/A | 5.4 MEDIUM |
| An issue was discovered in the fe_change_pwd (aka Change password for frontend users) extension before 2.0.5, and 3.x before 3.0.3, for TYPO3. The extension fails to revoke existing sessions for the current user when the password has been changed. | |||||
| CVE-2024-45651 | 2025-04-21 | N/A | 6.3 MEDIUM | ||
| IBM Sterling Connect:Direct Web Services 6.1.0, 6.2.0, and 6.3.0 does not invalidate session after a browser closure which could allow an authenticated user to impersonate another user on the system. | |||||
| CVE-2016-5069 | 1 Sierrawireless | 2 Aleos Firmware, Gx 440 | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 use guessable session tokens, which are in the URL. | |||||
| CVE-2017-11667 | 1 Openproject | 1 Openproject | 2025-04-20 | 6.8 MEDIUM | 8.1 HIGH |
| OpenProject before 6.1.6 and 7.x before 7.0.3 mishandles session expiry, which allows remote attackers to perform APIv3 requests indefinitely by leveraging a hijacked session. | |||||
| CVE-2015-5171 | 2 Cloudfoundry, Pivotal Software | 3 Cf-release, Cloud Foundry Elastic Runtime, Cloud Foundry Uaa | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| The password change functionality in Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire existing sessions. | |||||
| CVE-2017-14007 | 1 Prominent | 2 Multiflex M10a Controller, Multiflex M10a Controller Firmware | 2025-04-20 | 6.8 MEDIUM | 5.6 MEDIUM |
| An Insufficient Session Expiration issue was discovered in ProMinent MultiFLEX M10a Controller web interface. The user's session is available for an extended period beyond the last activity, allowing an attacker to reuse an old session for authorization. | |||||
| CVE-2017-1000131 | 1 Mahara | 1 Mahara | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before 16.04.2 are vulnerable to users staying logged in to their Mahara account even when they have been logged out of Moodle (when using MNet) as Mahara did not properly implement one of the MNet SSO API functions. | |||||
| CVE-2017-1000136 | 1 Mahara | 1 Mahara | 2025-04-20 | 4.3 MEDIUM | 6.5 MEDIUM |
| Mahara 1.8 before 1.8.6 and 1.9 before 1.9.4 and 1.10 before 1.10.1 and 15.04 before 15.04.0 are vulnerable to old sessions not being invalidated after a password change. | |||||
| CVE-2016-8712 | 1 Moxa | 2 Awk-3131a, Awk-3131a Firmware | 2025-04-20 | 4.3 MEDIUM | 8.1 HIGH |
| An exploitable nonce reuse vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless AP running firmware 1.1. The device uses one nonce for all session authentication requests and only changes the nonce if the web application has been idle for 300 seconds. | |||||
| CVE-2017-12159 | 2 Keycloak, Redhat | 3 Keycloak, Enterprise Linux Server, Single Sign On | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks. | |||||
| CVE-2017-6145 | 1 F5 | 10 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 7 more | 2025-04-20 | 7.5 HIGH | 7.3 HIGH |
| iControl REST in F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, PEM, and WebSafe 12.0.0 through 12.1.2 and 13.0.0 includes a service to convert authorization BIGIPAuthCookie cookies to X-F5-Auth-Token tokens. This service does not properly re-validate cookies when making that conversion, allowing once-valid but now expired cookies to be converted to valid tokens. | |||||
| CVE-2017-6529 | 1 Dnatools | 1 Dnalims | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is vulnerable to session hijacking by guessing the UID parameter. | |||||