CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

CVE-2023-6905

CVE-2023-6903

CVE-2023-6904

CVE-2023-3907

SurveyKing v0.2.0 was discovered to retain users' session cookies after logout, allowing attackers to login to the system and access data using the browser cache when the user exits the application.

Version：v0.2.0  
First, log in to the background normally and send query requests. Pay attention to cookies

![image](https://user-images.githubusercontent.com/59214809/154828714-a2ce6ea2-5110-4866-a3aa-fc775884faa1.png)  
Then click the exit login button. At this time, the back-end code does not delete the user's session, but just jumps to the login page. You can see that the requested data can still be obtained normally with the previous cookie. Then the attacker can log in to the system again with the help of the browser cache when the user exits.

![image](https://user-images.githubusercontent.com/59214809/154828764-ff2d6b80-69f7-469b-9387-0b9fca22eba3.png)  
Repair suggestion: when exiting the login, delete the user's session first, and then jump to the login page.

Headline

CVE-2022-25590: There is a logout logic vulnerability in the background · Issue #7 · javahuang/SurveyKing

CVE: Latest News