Total
438 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-24859 | 1 Apache | 1 Roller | 2025-06-03 | 8.8 High |
| A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes. When a user's password is changed, either by the user themselves or by an administrator, existing sessions remain active and usable. This allows continued access to the application through old sessions even after password changes, potentially enabling unauthorized access if credentials were compromised. This issue affects Apache Roller versions up to and including 6.1.4. The vulnerability is fixed in Apache Roller 6.1.5 by implementing centralized session management that properly invalidates all active sessions when passwords are changed or users are disabled. | ||||
| CVE-2024-45033 | 1 Apache | 1 Apache-airflow-providers-fab | 2025-06-03 | 8.1 High |
| Insufficient Session Expiration vulnerability in Apache Airflow Fab Provider. This issue affects Apache Airflow Fab Provider: before 1.5.2. When user password has been changed with admin CLI, the sessions for that user have not been cleared, leading to insufficient session expiration, thus logged users could continue to be logged in even after the password was changed. This only happened when the password was changed with CLI. The problem does not happen in case change was done with webserver thus this is different from CVE-2023-40273 https://github.com/advisories/GHSA-pm87-24wq-r8w9 which was addressed in Apache-Airflow 2.7.0 Users are recommended to upgrade to version 1.5.2, which fixes the issue. | ||||
| CVE-2023-45718 | 1 Hcltech | 1 Sametime | 2025-06-03 | 3.9 Low |
| Sametime is impacted by a failure to invalidate sessions. The application is setting sensitive cookie values in a persistent manner in Sametime Web clients. When this happens, cookie values can remain valid even after a user has closed out their session. | ||||
| CVE-2024-0350 | 1 Engineers Online Portal Project | 1 Engineers Online Portal | 2025-06-03 | 3.1 Low |
| A vulnerability was found in SourceCodester Engineers Online Portal 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. VDB-250118 is the identifier assigned to this vulnerability. | ||||
| CVE-2024-21722 | 1 Joomla | 1 Joomla\! | 2025-06-02 | 6.3 Medium |
| The MFA management features did not properly terminate existing user sessions when a user's MFA methods have been modified. | ||||
| CVE-2019-5641 | 1 Rapid7 | 1 Insightvm | 2025-05-29 | 3.3 Low |
| Rapid7 InsightVM suffers from an information exposure issue whereby, when the user's session has ended due to inactivity, an attacker can use the Inspect Element browser feature to remove the login panel and view the details available in the last webpage visited by previous user | ||||
| CVE-2022-2888 | 1 Octoprint | 1 Octoprint | 2025-05-28 | 4.4 Medium |
| If an attacker comes into the possession of a victim's OctoPrint session cookie through whatever means, the attacker can use this cookie to authenticate as long as the victim's account exists. | ||||
| CVE-2025-48061 | 2025-05-23 | 5.6 Medium | ||
| wire-webapp is the web application for the open-source messaging service Wire. A change caused a regression resulting in sessions not being properly invalidated. A user that logged out of the Wire webapp, could have been automatically logged in again after re-opening the application. This does not happen when the user is logged in as a temporary user by selecting "This is a public computer" during login or the user selects "Delete all your personal information and conversations on this device" upon logout. The underlying issue has been fixed with wire-webapp version 2025-05-20-production.0. As a workaround, this behavior can be prevented by either deleting all information upon logout as well as logging in as a temporary client. | ||||
| CVE-2025-22386 | 1 Optimizely | 1 Configured Commerce | 2025-05-20 | 7.3 High |
| An issue was discovered in Optimizely Configured Commerce before 5.2.2408. A medium-severity session issue exists in the Commerce B2B application, affecting the longevity of active sessions in the storefront. This allows session tokens tied to logged-out sessions to still be active and usable. | ||||
| CVE-2021-33322 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-05-13 | 7.5 High |
| In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user’s password via the old password reset token. | ||||
| CVE-2022-41542 | 1 Devhubapp | 1 Devhub | 2025-05-13 | 5.4 Medium |
| devhub 0.102.0 was discovered to contain a broken session control. | ||||
| CVE-2025-46336 | 2025-05-12 | 4.2 Medium | ||
| Rack::Session is a session management implementation for Rack. In versions starting from 2.0.0 to before 2.1.1, when using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout. This issue has been patched in version 2.1.1. | ||||
| CVE-2025-4528 | 2025-05-12 | 4.3 Medium | ||
| A vulnerability was found in Dígitro NGC Explorer up to 3.44.15 and classified as problematic. This issue affects some unknown processing. The manipulation leads to session expiration. The attack may be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2022-2782 | 1 Octopus | 1 Octopus Server | 2025-05-07 | 9.1 Critical |
| In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters. | ||||
| CVE-2024-52553 | 1 Jenkins | 2 Openid, Openid Connect Authentication | 2025-05-07 | 8.8 High |
| Jenkins OpenId Connect Authentication Plugin 4.418.vccc7061f5b_6d and earlier does not invalidate the previous session on login. | ||||
| CVE-2021-46279 | 1 Lannerinc | 2 Iac-ast2500a, Iac-ast2500a Firmware | 2025-05-07 | 5.8 Medium |
| Session fixation and insufficient session expiration vulnerabilities allow an attacker to perfom session hijacking attacks against users. This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0. | ||||
| CVE-2022-40230 | 1 Ibm | 1 Mq Appliance | 2025-05-02 | 6.5 Medium |
| "IBM MQ Appliance 9.2 CD, 9.2 LTS, 9.3 CD, and LTS 9.3 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235532." | ||||
| CVE-2025-1968 | 2025-05-02 | 7.7 High | ||
| Insufficient Session Expiration vulnerability in Progress Software Corporation Sitefinity under some specific and uncommon circumstances allows reusing Session IDs (Session Replay Attacks).This issue affects Sitefinity: from 14.0 through 14.3, from 14.4 before 14.4.8145, from 15.0 before 15.0.8231, from 15.1 before 15.1.8332, from 15.2 before 15.2.8429. | ||||
| CVE-2022-3867 | 1 Hashicorp | 1 Nomad | 2025-05-01 | 2.7 Low |
| HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream subscribers using a token with TTL receive updates until token garbage is collected. Fixed in 1.4.2. | ||||
| CVE-2022-3362 | 1 Ikus-soft | 1 Rdiffweb | 2025-04-30 | 9.8 Critical |
| Insufficient Session Expiration in GitHub repository ikus060/rdiffweb prior to 2.5.0. | ||||