CVE-2024-29070

CRITICAL Year: 2024
CVSS v3 Score
9.1
Critical
Weakness Type
CWE-613
View all →

Vulnerability Description

On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns "Authorization" as the front-end authentication credential. "Authorization" can still initiate requests and access data even after logout. Mitigation: all users should upgrade to 2.1.4

Related Vulnerabilities

CVE-2021-3144

CRITICAL
CVSS:9.1(Critical)

In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)

CWE-6132021

CVE-2021-35034

CRITICAL
CVSS:9.1(Critical)

An insufficient session expiration vulnerability in the CGI program of the Zyxel NBG6604 firmware could allow a remote attacker to access the device if the correct token can be intercepted.

CWE-6132021

CVE-2021-35473

CRITICAL
CVSS:9.1(Critical)

An issue was discovered in LemonLDAP::NG before 2.0.12. There is a missing expiration check in the OAuth2.0 handler, i.e., it does not verify access token validity. An attacker can use a expired acces...

CWE-6132021

CVE-2021-42545

CRITICAL
CVSS:9.1(Critical)

An insufficient session expiration vulnerability exists in Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27, which allows a remote attacker to reuse, spoof, or steal other user and ad...

CWE-6132021

CVE-2022-2064

CRITICAL
CVSS:9.1(Critical)

Insufficient Session Expiration in GitHub repository nocodb/nocodb prior to 0.91.7+.

CWE-6132022

CVE-2022-24042

CRITICAL
CVSS:9.1(Critical)

A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All ve...

CWE-6132022