Total
413 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-33507 | 1 Fortinet | 1 Fortiisolator | 2025-10-15 | N/A | 7.4 HIGH |
| An insufficient session expiration vulnerability [CWE-613] and an incorrect authorization vulnerability [CWE-863] in FortiIsolator 2.4.0 through 2.4.4, 2.3 all versions, 2.2.0, 2.1 all versions, 2.0 all versions authentication mechanism may allow remote unauthenticated attacker to deauthenticate logged in admins via crafted cookie and remote authenticated read-only attacker to gain write privilege via crafted cookie. | |||||
| CVE-2025-25252 | 1 Fortinet | 1 Fortios | 2025-10-15 | N/A | 4.8 MEDIUM |
| An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL VPN 7.6.0 through 7.6.2, 7.4.0 through 7.4.6, 7.2.0 through 7.2.10, 7.0.0 through 7.0.16, 6.4 all versions may allow a remote attacker (e.g. a former admin whose account was removed and whose session was terminated) in possession of the SAML record of a user session to access or re-open that session via re-use of SAML record. | |||||
| CVE-2024-52311 | 1 Amazon | 1 Data.all | 2025-10-14 | N/A | 6.3 MEDIUM |
| Authentication tokens issued via Cognito in data.all are not invalidated on log out, allowing for previously authenticated user to continue execution of authorized API Requests until token is expired. | |||||
| CVE-2025-61775 | 2025-10-14 | N/A | N/A | ||
| Vickey is a Misskey-based microblogging platform. A vulnerability exists in Vickey prior to version 2025.10.0 where unexpired email confirmation links can be reused multiple times to send repeated confirmation emails to a verified email address. Under certain conditions, a verified email address could receive repeated confirmation messages if the verification link was accessed multiple times. This issue may result in unintended email traffic but does not expose user data. The issue was addressed in version 2025.10.0 by improving validation logic to ensure verification links behave as expected after completion. | |||||
| CVE-2024-45187 | 1 Mage | 1 Mage-ai | 2025-10-10 | N/A | 7.1 HIGH |
| Guest users in the Mage AI framework that remain logged in after their accounts are deleted, are mistakenly given high privileges and specifically given access to remotely execute arbitrary code through the Mage AI terminal server | |||||
| CVE-2025-31952 | 1 Hcltech | 1 Dryice Iautomate | 2025-10-10 | N/A | 7.1 HIGH |
| HCL iAutomate is affected by an insufficient session expiration. This allows tokens to remain valid indefinitely unless manually revoked, increasing the risk of unauthorized access. | |||||
| CVE-2025-59841 | 1 Flagforge | 1 Flagforge | 2025-10-08 | N/A | 9.8 CRITICAL |
| Flag Forge is a Capture The Flag (CTF) platform. In versions from 2.2.0 to before 2.3.1, the FlagForge web application improperly handles session invalidation. Authenticated users can continue to access protected endpoints, such as /api/profile, even after logging out. CSRF tokens are also still valid post-logout, which can allow unauthorized actions. This issue has been patched in version 2.3.1. | |||||
| CVE-2025-10223 | 1 Axxonsoft | 1 Axxon One | 2025-10-08 | N/A | 5.4 MEDIUM |
| Insufficient Session Expiration (CWE-613) in the Web Admin Panel in AxxonSoft Axxon One (C-Werk) prior to 2.0.3 on Windows allows a local or remote authenticated attacker to retain access with removed privileges via continued use of an unexpired session token until natural expiration. | |||||
| CVE-2023-49881 | 1 Ibm | 1 Transformation Extender Advanced | 2025-10-03 | N/A | 6.3 MEDIUM |
| IBM Transformation Extender Advanced 10.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. | |||||
| CVE-2025-54592 | 1 Freshrss | 1 Freshrss | 2025-10-03 | N/A | 9.8 CRITICAL |
| FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below do not properly terminate the session during logout. After a user logs out, the session cookie remains active and unchanged. The unchanged cookie could be reused by an attacker if a new session were to be started. This failure to invalidate the session can lead to session hijacking and fixation vulnerabilities. This issue is fixed in version 1.27.0 | |||||
| CVE-2025-46741 | 2025-10-01 | N/A | 5.7 MEDIUM | ||
| A suspended or recently logged-out user could continue to interact with Blueframe until the time-out period occurred. | |||||
| CVE-2024-43685 | 1 Microchip | 2 Timeprovider 4100, Timeprovider 4100 Firmware | 2025-09-29 | N/A | 9.8 CRITICAL |
| Improper Authentication vulnerability in Microchip TimeProvider 4100 (login modules) allows Session Hijacking.This issue affects TimeProvider 4100: from 1.0 before 2.4.7. | |||||
| CVE-2024-48827 | 1 Sbond | 1 Watcharr | 2025-09-29 | N/A | 8.8 HIGH |
| An issue in sbondCo Watcharr v.1.43.0 allows a remote attacker to execute arbitrary code and escalate privileges via the Change Password function. | |||||
| CVE-2025-43819 | 2025-09-24 | N/A | N/A | ||
| A Insufficient Session Expiration vulnerability in the Liferay Portal 7.4.3.121 through 7.3.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.3, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, and 2024.Q1.1 through 2024.Q1.12 is allow an remote non-authenticated attacker to reuse old user session by SLO API | |||||
| CVE-2025-30516 | 1 Mattermost | 1 Mattermost Mobile | 2025-09-24 | N/A | 2.0 LOW |
| Mattermost Mobile Apps versions <=2.25.0 fail to terminate sessions during logout under certain conditions (e.g. poor connectivity), allowing unauthorized users on shared devices to access sensitive notification content via continued mobile notifications | |||||
| CVE-2025-59335 | 1 Cubecart | 1 Cubecart | 2025-09-23 | N/A | 7.1 HIGH |
| CubeCart is an ecommerce software solution. Prior to version 6.5.11, there is an absence of automatic session expiration following a user's password change. This oversight poses a security risk, as if a user forgets to log out from a location where they accessed their account, an unauthorized user can maintain access even after the password has been changed. Due to this bug, if an account has already been compromised, the legitimate user has no way to revoke the attacker’s access. The malicious actor retains full access to the account until their session naturally expires. This means the account remains insecure even after the password has been changed. This issue has been patched in version 6.5.11. | |||||
| CVE-2025-35433 | 1 Cisa | 1 Thorium | 2025-09-23 | N/A | 5.0 MEDIUM |
| CISA Thorium does not properly invalidate previously used tokens when resetting passwords. An attacker that possesses a previously used token could still log in after a password reset. Fixed in 1.1.1. | |||||
| CVE-2024-29401 | 1 Mindskip | 1 Xzs-mysql | 2025-09-19 | N/A | 9.8 CRITICAL |
| xzs-mysql 3.8 is vulnerable to Insufficient Session Expiration, which allows attackers to use the session of a deleted admin to do anything. | |||||
| CVE-2025-58352 | 1 Weblate | 1 Weblate | 2025-09-18 | N/A | 6.5 MEDIUM |
| Weblate is a web based localization tool. Versions lower than 5.13.1 contain a vulnerability that causes long session expiry during the second factor verification. The long session expiry could be used to circumvent rate limiting of the second factor. This issue is fixed in version 5.13.1. | |||||
| CVE-2025-57766 | 1 Ethyca | 1 Fides | 2025-09-10 | N/A | 4.8 MEDIUM |
| Fides is an open-source privacy engineering platform. Prior to version 2.69.1, admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained session tokens through other attack vectors (such as XSS) can maintain access even after password reset. This issue is not directly exploitable on its own and requires a prerequisite vulnerability to obtain valid session tokens in the first place. Version 2.69.1 fixes the issue. No known workarounds are available. | |||||