Search Results (7 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-1248 1 Wso2 5 Wso2 Api Manager, Wso2 Identity Server, Wso2 Identity Server As Key Manager and 2 more 2026-07-06 4.8 Medium
The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation when a federated user shares a username with a local user. This allows the provisioning process to overwrite existing roles of local users with roles assigned to the federated user. Exploitation requires a federated identity provider (IDP) with silent JIT provisioning enabled and an attacker's knowledge of a local user's username. When these conditions are met, a malicious individual can leverage the JIT provisioning process to modify the roles of local users. The overwritten roles are limited to those defined within the federated IDP, typically granting minimal access rights unless explicitly configured otherwise by the federated IDP administrator.
CVE-2025-61736 1 Johnsoncontrols 5 Istar Edge, Istar Ultra, Istar Ultra Lt and 2 more 2026-04-15 N/A
Successful exploitation of this vulnerability could result in the product failing to re-establish communication once the certificate expires.
CVE-2025-59036 1 Opsmill 1 Infrahub 2026-04-15 5.5 Medium
Infrahub offers a central hub to manage data, templates, and playbooks. Prior to versiond 1.3.9 and 1.4.5, a bug in the authentication logic will cause API tokens that were deleted and/or expired to be considered valid. This means that any API token that is associated with an active user account can authenticate successfully. This issue is fixed in versions 1.3.9 and 1.4.5. As a workaround, users can delete or deactivate the account associated with a deleted API token to prevent that token from authenticating.
CVE-2025-4384 1 Arcinfo 1 Pcvue 2026-04-15 N/A
The MQTT add-on of PcVue fails to verify that a remote device’s certificate has not already expired or has not yet become valid. This allows malicious devices to present certificates that are not rejected properly. The use of a client certificate reduces the risk for random devices to take advantage of this flaw.
CVE-2025-67109 1 Eclipse 2 Cyclone Data Distribution Service, Cyclonedds 2026-01-06 10 Critical
Improper verification of the time certificate in Eclipse Cyclone DDS before v0.10.5 allows attackers to bypass certificate checks and execute commands with System privileges.
CVE-2025-67108 1 Eprosima 1 Fast Dds 2026-01-02 10 Critical
eProsima Fast-DDS v3.3 was discovered to contain improper validation for ticket revocation, resulting in insecure communications and connections.
CVE-2023-42446 1 Powauth 1 Pow 2024-11-21 6.5 Medium
Pow is a authentication and user management solution for Phoenix and Plug-based apps. Starting in version 1.0.14 and prior to version 1.0.34, use of `Pow.Store.Backend.MnesiaCache` is susceptible to session hijacking as expired keys are not being invalidated correctly on startup. A session may expire when all `Pow.Store.Backend.MnesiaCache` instances have been shut down for a period that is longer than a session's remaining TTL. Version 1.0.34 contains a patch for this issue. As a workaround, expired keys, including all expired sessions, can be manually invalidated.