CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24973 – Concorde not removing authentication tokens after logging out
https://notcve.org/view.php?id=CVE-2025-24973
11 Feb 2025 — Concorde, formerly know as Nexkey, is a fork of the federated microblogging platform Misskey. Prior to version 12.25Q1.1, due to an improper implementation of the logout process, authentication credentials remain in cookies even after a user has explicitly logged out, which may allow an attacker to steal authentication tokens. This could have devastating consequences if a user with admin privileges is (or was) using a shared device. Users who have logged in on a shared device should go to Settings > Securit... • https://github.com/nexryai/concorde/commit/1f6ac9b289906083b132e4f9667a31a60ef83e4e • CWE-613: Insufficient Session Expiration •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24900 – Concorde CSRF vulnerability due to insecure configuration of authentication cookie attributes
https://notcve.org/view.php?id=CVE-2025-24900
11 Feb 2025 — Concorde, formerly know as Nexkey, is a fork of the federated microblogging platform Misskey. Due to a lack of CSRF countermeasures and improper settings of cookies for MediaProxy authentication, there is a vulnerability that allows MediaProxy authentication to be bypassed. In versions prior to 12.25Q1.1, the authentication cookie does not have the SameSite attribute. This allows an attacker to bypass MediaProxy authentication and load any image without restrictions under certain circumstances. In versions ... • https://github.com/nexryai/concorde/commit/2309b4a292828ddba4d57cf0e914bc433095871d • CWE-352: Cross-Site Request Forgery (CSRF) •