Total
463 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-25019 | 1 Ibm | 2 Cloud Pak For Security, Qradar Suite | 2025-08-24 | 4.8 Medium |
| IBM QRadar Suite Software 1.10.12.0 through 1.11.2.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 does not invalidate session after a logout which could allow a user to impersonate another user on the system. | ||||
| CVE-2025-40566 | 1 Siemens | 1 Simatic Pcs Neo | 2025-08-22 | 8.8 High |
| A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions < V4.1 Update 3), SIMATIC PCS neo V5.0 (All versions < V5.0 Update 1). Affected products do not correctly invalidate user sessions upon user logout. This could allow a remote unauthenticated attacker, who has obtained the session token by other means, to re-use a legitimate user's session even after logout. | ||||
| CVE-2025-53642 | 2 Haxtheweb, Psu | 4 Haxcms-nodejs, Haxcms-php, Haxcms-nodejs and 1 more | 2025-08-22 | 4.8 Medium |
| haxcms-nodejs and haxcms-php are backends for HAXcms. The logout function within the application does not terminate a user's session or clear their cookies. Additionally, the application issues a refresh token when logging out. This vulnerability is fixed in 11.0.6. | ||||
| CVE-2024-32006 | 1 Siemens | 1 Sinema Remote Connect Client | 2025-08-20 | 4.3 Medium |
| A vulnerability has been identified in SINEMA Remote Connect Client (All versions < V3.2 SP2). The affected application does not expire the user session on reboot without logout. This could allow an attacker to bypass Multi-Factor Authentication. | ||||
| CVE-2025-50484 | 1 Phpgurukul | 1 Small Crm | 2025-08-07 | 7.1 High |
| Improper session invalidation in the component /crm/change-password.php of PHPGurukul Small CRM v3.0 allows attackers to execute a session hijacking attack. | ||||
| CVE-2025-1198 | 1 Gitlab | 1 Gitlab | 2025-08-06 | 4.2 Medium |
| An issue discovered in GitLab CE/EE affecting all versions from 16.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 meant that long-lived connections in ActionCable potentially allowed revoked Personal Access Tokens access to streaming results. | ||||
| CVE-2025-36040 | 1 Ibm | 1 Aspera Faspex | 2025-08-06 | 6.5 Medium |
| IBM Aspera Faspex 5.0.0 through 5.0.12.1 could allow an authenticated user to perform unauthorized actions due to client-side enforcement of sever side security mechanisms. | ||||
| CVE-2025-53826 | 1 Filebrowser | 1 Filebrowser | 2025-08-05 | 9.8 Critical |
| File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In version 2.39.0, File Browser’s authentication system issues long-lived JWT tokens that remain valid even after the user logs out. As of time of publication, no known patches exist. | ||||
| CVE-2025-50491 | 1 Phpgurukul | 1 Bank Locker Management System | 2025-07-29 | 7.1 High |
| Improper session invalidation in the component /banker/change-password.php of PHPGurukul Bank Locker Management System v1 allows attackers to execute a session hijacking attack. | ||||
| CVE-2025-50488 | 1 Phpgurukul | 1 Online Library Management System | 2025-07-29 | 7.1 High |
| Improper session invalidation in the component /library/change-password.php of PHPGurukul Online Library Management System v3.0 allows attackers to execute a session hijacking attack. | ||||
| CVE-2025-50486 | 1 Phpgurukul | 1 E-diary Management System | 2025-07-29 | 7.1 High |
| Improper session invalidation in the component /carrental/update-password.php of PHPGurukul Car Rental Project v3.0 allows attackers to execute a session hijacking attack. | ||||
| CVE-2025-50485 | 1 Phpgurukul | 1 Online Course Registration | 2025-07-29 | 7.1 High |
| Improper session invalidation in the component /crm/change-password.php of PHPGurukul Online Course Registration v3.1 allows attackers to execute a session hijacking attack. | ||||
| CVE-2025-50487 | 1 Phpgurukul | 1 Blood Bank \& Donor Management System | 2025-07-29 | 7.1 High |
| Improper session invalidation in the component /bbdms/change-password.php of PHPGurukul Blood Bank & Donor Management System v2.4 allows attackers to execute a session hijacking attack. | ||||
| CVE-2024-11627 | 1 Progress | 1 Sitefinity | 2025-07-29 | 6.8 Medium |
| : Insufficient Session Expiration vulnerability in Progress Sitefinity allows : Session Fixation.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421. | ||||
| CVE-2024-50562 | 1 Fortinet | 3 Fortios, Fortipam, Fortisase | 2025-07-25 | 4.4 Medium |
| An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL-VPN version 7.6.0, version 7.4.6 and below, version 7.2.10 and below, 7.0 all versions, 6.4 all versions may allow an attacker in possession of a cookie used to log in the SSL-VPN portal to log in again, although the session has expired or was logged out. | ||||
| CVE-2025-49152 | 2025-07-17 | N/A | ||
| The affected products contain JSON Web Tokens (JWT) that do not expire, which could allow an attacker to gain access to the system. | ||||
| CVE-2024-29402 | 1 Cskefu | 1 Cskefu | 2025-07-14 | 4.3 Medium |
| cskefu v7 suffers from Insufficient Session Expiration, which allows attackers to exploit the old session for malicious activity. | ||||
| CVE-2025-28059 | 1 Nagios | 1 Network Analyzer | 2025-07-11 | 7.5 High |
| An access control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows deleted users to retain access to system resources due to improper session invalidation and stale token handling. When an administrator deletes a user account, the backend fails to terminate active sessions and revoke associated API tokens, enabling unauthorized access to restricted functions. | ||||
| CVE-2024-29070 | 1 Apache | 1 Streampark | 2025-07-10 | 9.1 Critical |
| On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns "Authorization" as the front-end authentication credential. "Authorization" can still initiate requests and access data even after logout. Mitigation: all users should upgrade to 2.1.4 | ||||
| CVE-2024-7998 | 3 Linux, Microsoft, Octopus | 3 Linux Kernel, Windows, Octopus Server | 2025-07-02 | 2.6 Low |
| In affected versions of Octopus Server OIDC cookies were using the wrong expiration time which could result in them using the maximum lifespan. | ||||