CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35220 – @fastify/session reuses destroyed session cookie
https://notcve.org/view.php?id=CVE-2024-35220
@fastify/session is a session plugin for fastify. Requires the @fastify/cookie plugin. When restoring the cookie from the session store, the `expires` field is overriden if the `maxAge` field was set. This means a cookie is never correctly detected as expired and thus expired sessions are not destroyed. This vulnerability has been patched 10.8.0. @fastify/session es un complemento de sesión para fastify. • https://github.com/fastify/session/commit/0495ce5b534c4550f25228821db8098293439f2f https://github.com/fastify/session/issues/251 https://github.com/fastify/session/security/advisories/GHSA-pj27-2xvp-4qxg • CWE-613: Insufficient Session Expiration •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 1CVE-2015-8566 – Joomla! 1.5 < 3.4.6 - Object Injection 'x-forwarded-for' Header Remote Code Execution
https://notcve.org/view.php?id=CVE-2015-8566
The Session package 1.x before 1.3.1 for Joomla! Framework allows remote attackers to execute arbitrary code via unspecified session values. El paquete Session 1.x en versiones anteriores a 1.3.1 para Joomla! Framework permite a atacantes remotos ejecutar código arbitrario a través de valores de sesión no especificados. • https://www.exploit-db.com/exploits/39033 http://www.securityfocus.com/bid/79197 https://developer.joomla.org/security-centre/637-20151205-session-remote-code-execution-vulnerability.html •