Total
398 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-2888 | 1 Octoprint | 1 Octoprint | 2025-05-28 | 4.4 Medium |
| If an attacker comes into the possession of a victim's OctoPrint session cookie through whatever means, the attacker can use this cookie to authenticate as long as the victim's account exists. | ||||
| CVE-2025-48061 | 2025-05-23 | 5.6 Medium | ||
| wire-webapp is the web application for the open-source messaging service Wire. A change caused a regression resulting in sessions not being properly invalidated. A user that logged out of the Wire webapp, could have been automatically logged in again after re-opening the application. This does not happen when the user is logged in as a temporary user by selecting "This is a public computer" during login or the user selects "Delete all your personal information and conversations on this device" upon logout. The underlying issue has been fixed with wire-webapp version 2025-05-20-production.0. As a workaround, this behavior can be prevented by either deleting all information upon logout as well as logging in as a temporary client. | ||||
| CVE-2025-22386 | 1 Optimizely | 1 Configured Commerce | 2025-05-20 | 7.3 High |
| An issue was discovered in Optimizely Configured Commerce before 5.2.2408. A medium-severity session issue exists in the Commerce B2B application, affecting the longevity of active sessions in the storefront. This allows session tokens tied to logged-out sessions to still be active and usable. | ||||
| CVE-2025-40566 | 2025-05-13 | 8.8 High | ||
| A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions < V4.1 Update 3), SIMATIC PCS neo V5.0 (All versions < V5.0 Update 1). Affected products do not correctly invalidate user sessions upon user logout. This could allow a remote unauthenticated attacker, who has obtained the session token by other means, to re-use a legitimate user's session even after logout. | ||||
| CVE-2021-33322 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-05-13 | 7.5 High |
| In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user’s password via the old password reset token. | ||||
| CVE-2022-41542 | 1 Devhubapp | 1 Devhub | 2025-05-13 | 5.4 Medium |
| devhub 0.102.0 was discovered to contain a broken session control. | ||||
| CVE-2025-46336 | 2025-05-12 | 4.2 Medium | ||
| Rack::Session is a session management implementation for Rack. In versions starting from 2.0.0 to before 2.1.1, when using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout. This issue has been patched in version 2.1.1. | ||||
| CVE-2025-4528 | 2025-05-12 | 4.3 Medium | ||
| A vulnerability was found in Dígitro NGC Explorer up to 3.44.15 and classified as problematic. This issue affects some unknown processing. The manipulation leads to session expiration. The attack may be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2022-2782 | 1 Octopus | 1 Octopus Server | 2025-05-07 | 9.1 Critical |
| In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters. | ||||
| CVE-2024-52553 | 1 Jenkins | 2 Openid, Openid Connect Authentication | 2025-05-07 | 8.8 High |
| Jenkins OpenId Connect Authentication Plugin 4.418.vccc7061f5b_6d and earlier does not invalidate the previous session on login. | ||||
| CVE-2025-46815 | 2025-05-07 | 8 High | ||
| The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a predefined URI. These id and token can then be used to authenticate the user or their session. However, prior to versions 3.0.0, 2.71.9, and 2.70.10, it was possible to exploit this feature by repeatedly using intents. This allowed an attacker with access to the application’s URI to retrieve the id and token, enabling them to authenticate on behalf of the user. It's important to note that the use of additional factors (MFA) prevents a complete authentication process and, consequently, access to the ZITADEL API. Versions 3.0.0, 2.71.9, and 2.70.10 contain a fix for the issue. No known workarounds other than upgrading are available. | ||||
| CVE-2021-46279 | 1 Lannerinc | 2 Iac-ast2500a, Iac-ast2500a Firmware | 2025-05-07 | 5.8 Medium |
| Session fixation and insufficient session expiration vulnerabilities allow an attacker to perfom session hijacking attacks against users. This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0. | ||||
| CVE-2022-40230 | 1 Ibm | 1 Mq Appliance | 2025-05-02 | 6.5 Medium |
| "IBM MQ Appliance 9.2 CD, 9.2 LTS, 9.3 CD, and LTS 9.3 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235532." | ||||
| CVE-2025-1968 | 2025-05-02 | 7.7 High | ||
| Insufficient Session Expiration vulnerability in Progress Software Corporation Sitefinity under some specific and uncommon circumstances allows reusing Session IDs (Session Replay Attacks).This issue affects Sitefinity: from 14.0 through 14.3, from 14.4 before 14.4.8145, from 15.0 before 15.0.8231, from 15.1 before 15.1.8332, from 15.2 before 15.2.8429. | ||||
| CVE-2025-46344 | 2025-05-02 | N/A | ||
| The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions starting from 4.0.1 and prior to 4.5.1, do not invoke `.setExpirationTime` when generating a JWE token for the session. As a result, the JWE does not contain an internal expiration claim. While the session cookie may expire or be cleared, the JWE remains valid. This issue has been patched in version 4.5.1. | ||||
| CVE-2022-3867 | 1 Hashicorp | 1 Nomad | 2025-05-01 | 2.7 Low |
| HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream subscribers using a token with TTL receive updates until token garbage is collected. Fixed in 1.4.2. | ||||
| CVE-2022-3362 | 1 Ikus-soft | 1 Rdiffweb | 2025-04-30 | 9.8 Critical |
| Insufficient Session Expiration in GitHub repository ikus060/rdiffweb prior to 2.5.0. | ||||
| CVE-2021-25966 | 1 Orchardcore | 1 Orchard Core | 2025-04-30 | 8.8 High |
| In “Orchard core CMS” application, versions 1.0.0-beta1-3383 to 1.0.0 are vulnerable to an improper session termination after password change. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed. | ||||
| CVE-2021-25970 | 1 Tuzitio | 1 Camaleon Cms | 2025-04-30 | 8.8 High |
| Camaleon CMS 0.1.7 to 2.6.0 doesn’t terminate the active session of the users, even after the admin changes the user’s password. A user that was already logged in, will still have access to the application even after the password was changed. | ||||
| CVE-2021-25979 | 1 Apostrophecms | 1 Apostrophecms | 2025-04-30 | 9.8 Critical |
| Apostrophe CMS versions prior to 3.3.1 did not invalidate existing login sessions when disabling a user account or changing the password, creating a situation in which a device compromised by a third party could not be locked out by those means. As a mitigation for older releases the user account in question can be archived (3.x) or moved to the trash (2.x and earlier) which does disable the existing session. | ||||