Total
413 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-63226 | 2025-11-19 | N/A | 5.7 MEDIUM | ||
| The Sencore SMP100 SMP Media Platform (firmware versions V4.2.160, V60.1.4, V60.1.29) is vulnerable to session hijacking due to improper session management on the /UserManagement.html endpoint. Attackers who are on the same network as the victim and have access to the target's logged-in session can access the endpoint and add new users without any authentication. This allows attackers to gain unauthorized access to the system and perform malicious activities. | |||||
| CVE-2025-64708 | 2025-11-19 | N/A | 5.8 MEDIUM | ||
| authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, in previous authentik versions, invitations were considered valid regardless if they are expired or not, thus relying on background tasks to clean up expired ones. In a normal scenario this can take up to 5 minutes because the cleanup of expired objects is scheduled to run every 5 minutes. However, with a large amount of tasks in the backlog, this might take longer. authentik versions 2025.8.5 and 2025.10.2 fix this issue. A workaround involves creating a policy that explicitly checks whether the invitation is still valid, and then bind it to the invitation stage on the invitation flow, and denying access if the invitation is not valid. | |||||
| CVE-2025-56643 | 2025-11-19 | N/A | 9.1 CRITICAL | ||
| Requarks Wiki.js 2.5.307 does not properly revoke or invalidate active JWT tokens when a user logs out. As a result, previously issued tokens remain valid and can be reused to access the system, even after logout. This behavior affects session integrity and may allow unauthorized access if a token is compromised. The issue is present in the authentication resolver logic and affects both the GraphQL endpoint and the logout mechanism. | |||||
| CVE-2025-12110 | 2025-11-13 | N/A | 5.4 MEDIUM | ||
| A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and assumes that offline sessions are no longer available, but they are. | |||||
| CVE-2025-23419 | 2 Debian, F5 | 3 Debian Linux, Nginx, Nginx Plus | 2025-11-12 | N/A | 4.3 MEDIUM |
| When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are used and/or the SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache are used in the default server and the default server is performing client certificate authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2025-4528 | 1 Digitro | 1 Ngc Explorer | 2025-11-10 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in Dígitro NGC Explorer up to 3.44.15 and classified as problematic. This issue affects some unknown processing. The manipulation leads to session expiration. The attack may be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-12278 | 1 Azure-access | 4 Blu-ic2, Blu-ic2 Firmware, Blu-ic4 and 1 more | 2025-11-10 | N/A | 6.5 MEDIUM |
| Logout Functionality not Working.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. | |||||
| CVE-2025-55278 | 2025-11-06 | N/A | 8.1 HIGH | ||
| Improper authentication in the API authentication middleware of HCL DevOps Loop allows authentication tokens to be accepted without proper validation of their expiration and cryptographic signature. As a result, an attacker could potentially use expired or tampered tokens to gain unauthorized access to sensitive resources and perform actions with elevated privileges. | |||||
| CVE-2024-13996 | 1 Nagios | 1 Nagios Xi | 2025-11-06 | N/A | 9.8 CRITICAL |
| Nagios XI versions prior to 2024R1.1.3 did not invalidate all other active sessions for a user when that user's password was changed. As a result, any pre-existing sessions (including those potentially controlled by an attacker) remained valid after a credential update. This insufficient session expiration could allow continued unauthorized access to user data and actions even after a password change. | |||||
| CVE-2024-36041 | 1 Kde | 1 Plasma-workspace | 2025-11-04 | N/A | 7.8 HIGH |
| KSmserver in KDE Plasma Workspace (aka plasma-workspace) before 5.27.11.1 and 6.x before 6.0.5.1 allows connections via ICE based purely on the host, i.e., all local connections are accepted. This allows another user on the same machine to gain access to the session manager, e.g., use the session-restore feature to execute arbitrary code as the victim (on the next boot) via earlier use of the /tmp directory. | |||||
| CVE-2023-49935 | 1 Schedmd | 1 Slurm | 2025-11-04 | N/A | 8.8 HIGH |
| An issue was discovered in SchedMD Slurm 23.02.x and 23.11.x. There is Incorrect Access Control because of a slurmd Message Integrity Bypass. An attacker can reuse root-level authentication tokens during interaction with the slurmd process. This bypasses the RPC message hashes that protect against undesired MUNGE credential reuse. The fixed versions are 23.02.7 and 23.11.1. | |||||
| CVE-2025-62781 | 1 Thm | 1 Pilos | 2025-11-04 | N/A | 5.0 MEDIUM |
| PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. Prior to 4.8.0, users with a local account can change their password while logged in. When doing so, all other active sessions are terminated, except for the currently active one. However, the current session’s token remains valid and is not refreshed. If an attacker has previously obtained this session token through another vulnerability, changing the password will not invalidate their access. As a result, the attacker can continue to act as the user even after the password has been changed. This vulnerability is fixed in 4.8.0. | |||||
| CVE-2025-64386 | 2025-11-04 | N/A | N/A | ||
| The equipment grants a JWT token for each connection in the timeline, but during an active valid session, a hijacking of the token can be done. This will allow an attacker with the token modify parameters of security, access or even steal the session without the legitimate and active session detecting it. The web server allows the attacker to reuse an old session JWT token while the legitimate session is active. | |||||
| CVE-2025-54547 | 2025-10-30 | N/A | 5.3 MEDIUM | ||
| On affected platforms, if SSH session multiplexing was configured on the client side, SSH sessions (e.g, scp, sftp) multiplexed onto the same channel could perform file-system operations after a configured session timeout expired | |||||
| CVE-2025-11429 | 2025-10-27 | N/A | 5.4 MEDIUM | ||
| A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the administrator's recent security configuration change. This is a logic flaw in session management increases the potential window for successful session hijacking or unauthorized long-term access persistence. The flaw lies in the session expiration logic relying on the session-local "remember-me" flag without validating the current realm-level configuration. | |||||
| CVE-2024-41985 | 1 Siemens | 1 Opcenter Quality | 2025-10-22 | N/A | 2.6 LOW |
| A vulnerability has been identified in SmartClient modules Opcenter QL Home (SC) (All versions >= V13.2 < V2506), SOA Audit (All versions >= V13.2 < V2506), SOA Cockpit (All versions >= V13.2 < V2506). The affected application does not expire the session without logout. This could allow an attacker to get unauthorized access if the session is left idle. | |||||
| CVE-2025-48929 | 1 Smarsh | 1 Telemessage | 2025-10-22 | N/A | 4.0 MEDIUM |
| The TeleMessage service through 2025-05-05 implements authentication through a long-lived credential (e.g., not a token with a short expiration time) that can be reused at a later date if discovered by an adversary. | |||||
| CVE-2025-3930 | 2025-10-22 | N/A | N/A | ||
| Strapi uses JSON Web Tokens (JWT) for authentication. After logout or account deactivation, the JWT is not invalidated, which allows an attacker who has stolen or intercepted the token to freely reuse it until its expiration date (which is set to 30 days by default, but can be changed). The existence of /admin/renew-token endpoint allows anyone to renew near-expiration tokens indefinitely, further increasing the impact of this attack. This issue has been fixed in version 5.24.1. | |||||
| CVE-2025-62174 | 1 Joinmastodon | 1 Mastodon | 2025-10-20 | N/A | 3.5 LOW |
| Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, when an administrator resets a user account's password via the command-line interface using `bin/tootctl accounts modify --reset-password`, active sessions and access tokens for that account are not revoked. This allows an attacker with access to a previously compromised session or token to continue using the account after the password has been reset. This issue has been patched in versions 4.2.27, 4.3.14, and 4.4.6. No known workarounds exist. | |||||
| CVE-2025-58437 | 1 Coder | 1 Coder | 2025-10-17 | N/A | 8.1 HIGH |
| Coder allows organizations to provision remote development environments via Terraform. In versions 2.22.0 through 2.24.3, 2.25.0 and 2.25.1, Coder can be compromised through insecure session handling in prebuilt workspaces. Coder automatically generates a session token for a user when a workspace is started. It is automatically exposed via coder_workspace_owner.session_token. Prebuilt workspaces are initially owned by a built-in prebuilds system user. When a prebuilt workspace is claimed, a new session token is generated for the user that claimed the workspace, but the previous session token for the prebuilds user was not expired. Any Coder workspace templates that persist this automatically generated session token are potentially impacted. This is fixed in versions 2.24.4 and 2.25.2. | |||||