Total
459 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-1198 | 1 Gitlab | 1 Gitlab | 2025-08-06 | 4.2 Medium |
| An issue discovered in GitLab CE/EE affecting all versions from 16.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 meant that long-lived connections in ActionCable potentially allowed revoked Personal Access Tokens access to streaming results. | ||||
| CVE-2025-36040 | 1 Ibm | 1 Aspera Faspex | 2025-08-06 | 6.5 Medium |
| IBM Aspera Faspex 5.0.0 through 5.0.12.1 could allow an authenticated user to perform unauthorized actions due to client-side enforcement of sever side security mechanisms. | ||||
| CVE-2025-53826 | 1 Filebrowser | 1 Filebrowser | 2025-08-05 | 9.8 Critical |
| File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In version 2.39.0, File Browser’s authentication system issues long-lived JWT tokens that remain valid even after the user logs out. As of time of publication, no known patches exist. | ||||
| CVE-2025-50491 | 1 Phpgurukul | 1 Bank Locker Management System | 2025-07-29 | 7.1 High |
| Improper session invalidation in the component /banker/change-password.php of PHPGurukul Bank Locker Management System v1 allows attackers to execute a session hijacking attack. | ||||
| CVE-2025-50488 | 1 Phpgurukul | 1 Online Library Management System | 2025-07-29 | 7.1 High |
| Improper session invalidation in the component /library/change-password.php of PHPGurukul Online Library Management System v3.0 allows attackers to execute a session hijacking attack. | ||||
| CVE-2025-50486 | 1 Phpgurukul | 1 E-diary Management System | 2025-07-29 | 7.1 High |
| Improper session invalidation in the component /carrental/update-password.php of PHPGurukul Car Rental Project v3.0 allows attackers to execute a session hijacking attack. | ||||
| CVE-2025-50485 | 1 Phpgurukul | 1 Online Course Registration | 2025-07-29 | 7.1 High |
| Improper session invalidation in the component /crm/change-password.php of PHPGurukul Online Course Registration v3.1 allows attackers to execute a session hijacking attack. | ||||
| CVE-2025-50487 | 1 Phpgurukul | 1 Blood Bank \& Donor Management System | 2025-07-29 | 7.1 High |
| Improper session invalidation in the component /bbdms/change-password.php of PHPGurukul Blood Bank & Donor Management System v2.4 allows attackers to execute a session hijacking attack. | ||||
| CVE-2024-11627 | 1 Progress | 1 Sitefinity | 2025-07-29 | 6.8 Medium |
| : Insufficient Session Expiration vulnerability in Progress Sitefinity allows : Session Fixation.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421. | ||||
| CVE-2024-50562 | 1 Fortinet | 3 Fortios, Fortipam, Fortisase | 2025-07-25 | 4.4 Medium |
| An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL-VPN version 7.6.0, version 7.4.6 and below, version 7.2.10 and below, 7.0 all versions, 6.4 all versions may allow an attacker in possession of a cookie used to log in the SSL-VPN portal to log in again, although the session has expired or was logged out. | ||||
| CVE-2024-27779 | 1 Fortinet | 2 Fortiisolator, Fortisandbox | 2025-07-22 | 6.3 Medium |
| An insufficient session expiration vulnerability [CWE-613] in FortiSandbox FortiSandbox version 4.4.4 and below, version 4.2.6 and below, 4.0 all versions, 3.2 all versions and FortiIsolator version 2.4 and below, 2.3 all versions, 2.2 all versions, 2.1 all versions, 2.0 all versions, 1.2 all versions may allow a remote attacker in possession of an admin session cookie to keep using that admin's session even after the admin user was deleted. | ||||
| CVE-2025-49152 | 2025-07-17 | N/A | ||
| The affected products contain JSON Web Tokens (JWT) that do not expire, which could allow an attacker to gain access to the system. | ||||
| CVE-2024-29402 | 1 Cskefu | 1 Cskefu | 2025-07-14 | 4.3 Medium |
| cskefu v7 suffers from Insufficient Session Expiration, which allows attackers to exploit the old session for malicious activity. | ||||
| CVE-2025-28059 | 1 Nagios | 1 Network Analyzer | 2025-07-11 | 7.5 High |
| An access control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows deleted users to retain access to system resources due to improper session invalidation and stale token handling. When an administrator deletes a user account, the backend fails to terminate active sessions and revoke associated API tokens, enabling unauthorized access to restricted functions. | ||||
| CVE-2024-29070 | 1 Apache | 1 Streampark | 2025-07-10 | 9.1 Critical |
| On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns "Authorization" as the front-end authentication credential. "Authorization" can still initiate requests and access data even after logout. Mitigation: all users should upgrade to 2.1.4 | ||||
| CVE-2024-7998 | 3 Linux, Microsoft, Octopus | 3 Linux Kernel, Windows, Octopus Server | 2025-07-02 | 2.6 Low |
| In affected versions of Octopus Server OIDC cookies were using the wrong expiration time which could result in them using the maximum lifespan. | ||||
| CVE-2025-4407 | 2025-06-30 | 6.7 Medium | ||
| Insufficient Session Expiration vulnerability in ABB Lite Panel Pro.This issue affects Lite Panel Pro: through 1.0.1. | ||||
| CVE-2025-46344 | 1 Auth0 | 1 Nextjs-auth0 | 2025-06-23 | N/A |
| The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions starting from 4.0.1 and prior to 4.5.1, do not invoke `.setExpirationTime` when generating a JWE token for the session. As a result, the JWE does not contain an internal expiration claim. While the session cookie may expire or be cleared, the JWE remains valid. This issue has been patched in version 4.5.1. | ||||
| CVE-2025-0138 | 1 Paloaltonetworks | 1 Prisma Cloud Compute Edition | 2025-06-23 | N/A |
| Web sessions in the web interface of Palo Alto Networks Prisma® Cloud Compute Edition do not expire when users are deleted, which makes Prisma Cloud Compute Edition susceptible to unauthorized access. Compute in Prisma Cloud Enterprise Edition is not affected by this issue. | ||||
| CVE-2025-28132 | 1 Nagios | 1 Nagios Network Analyzer | 2025-06-18 | 4.6 Medium |
| A session management flaw in Nagios Network Analyzer 2024R1.0.3 allows an attacker to reuse session tokens even after a user logs out, leading to unauthorized access and account takeover. This occurs due to insufficient session expiration, where session tokens remain valid beyond logout, allowing an attacker to impersonate users and perform actions on their behalf. | ||||