{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-24973", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-01-29T15:18:03.211Z", "datePublished": "2025-02-11T15:41:41.811Z", "dateUpdated": "2025-02-11T16:12:06.824Z"}, "containers": {"cna": {"title": "Concorde not removing authentication tokens after logging out", "problemTypes": [{"descriptions": [{"cweId": "CWE-613", "lang": "en", "description": "CWE-613: Insufficient Session Expiration", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/nexryai/concorde/security/advisories/GHSA-2369-p2wh-7cc2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nexryai/concorde/security/advisories/GHSA-2369-p2wh-7cc2"}, {"name": "https://github.com/nexryai/concorde/commit/1f6ac9b289906083b132e4f9667a31a60ef83e4e", "tags": ["x_refsource_MISC"], "url": "https://github.com/nexryai/concorde/commit/1f6ac9b289906083b132e4f9667a31a60ef83e4e"}], "affected": [{"vendor": "nexryai", "product": "concorde", "versions": [{"version": "< 12.25Q1.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-02-11T15:41:41.811Z"}, "descriptions": [{"lang": "en", "value": "Concorde, formerly know as Nexkey, is a fork of the federated microblogging platform Misskey. Prior to version 12.25Q1.1, due to an improper implementation of the logout process, authentication credentials remain in cookies even after a user has explicitly logged out, which may allow an attacker to steal authentication tokens. This could have devastating consequences if a user with admin privileges is (or was) using a shared device. Users who have logged in on a shared device should go to Settings > Security and regenerate their login tokens. Version 12.25Q1.1 fixes the issue. As a workaround, clear cookies and site data in the browser after logging out."}], "source": {"advisory": "GHSA-2369-p2wh-7cc2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-11T16:11:36.043904Z", "id": "CVE-2025-24973", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-11T16:12:06.824Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-24973", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-11T16:11:36.043904Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-11T16:12:02.423Z"}}], "cna": {"title": "Concorde not removing authentication tokens after logging out", "source": {"advisory": "GHSA-2369-p2wh-7cc2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.4, "attackVector": "LOCAL", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "nexryai", "product": "concorde", "versions": [{"status": "affected", "version": "< 12.25Q1.1"}]}], "references": [{"url": "https://github.com/nexryai/concorde/security/advisories/GHSA-2369-p2wh-7cc2", "name": "https://github.com/nexryai/concorde/security/advisories/GHSA-2369-p2wh-7cc2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nexryai/concorde/commit/1f6ac9b289906083b132e4f9667a31a60ef83e4e", "name": "https://github.com/nexryai/concorde/commit/1f6ac9b289906083b132e4f9667a31a60ef83e4e", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Concorde, formerly know as Nexkey, is a fork of the federated microblogging platform Misskey. Prior to version 12.25Q1.1, due to an improper implementation of the logout process, authentication credentials remain in cookies even after a user has explicitly logged out, which may allow an attacker to steal authentication tokens. This could have devastating consequences if a user with admin privileges is (or was) using a shared device. Users who have logged in on a shared device should go to Settings > Security and regenerate their login tokens. Version 12.25Q1.1 fixes the issue. As a workaround, clear cookies and site data in the browser after logging out."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-613", "description": "CWE-613: Insufficient Session Expiration"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-02-11T15:41:41.811Z"}}}, "cveMetadata": {"cveId": "CVE-2025-24973", "state": "PUBLISHED", "dateUpdated": "2025-02-11T16:12:06.824Z", "dateReserved": "2025-01-29T15:18:03.211Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-02-11T15:41:41.811Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Concorde, formerly know as Nexkey, is a fork of the federated microblogging platform Misskey. Prior to version 12.25Q1.1, due to an improper implementation of the logout process, authentication credentials remain in cookies even after a user has explicitly logged out, which may allow an attacker to steal authentication tokens. This could have devastating consequences if a user with admin privileges is (or was) using a shared device. Users who have logged in on a shared device should go to Settings > Security and regenerate their login tokens. Version 12.25Q1.1 fixes the issue. As a workaround, clear cookies and site data in the browser after logging out."}, {"lang": "es", "value": "Concorde, anteriormente conocida como Nexkey, es una bifurcaci\u00f3n de la plataforma de microblogging federada Misskey. Antes de la versi\u00f3n 12.25Q1.1, debido a una implementaci\u00f3n incorrecta del proceso de cierre de sesi\u00f3n, las credenciales de autenticaci\u00f3n permanec\u00edan en las cookies incluso despu\u00e9s de que un usuario cerrara sesi\u00f3n expl\u00edcitamente, lo que pod\u00eda permitir a un atacante robar tokens de autenticaci\u00f3n. Esto podr\u00eda tener consecuencias devastadoras si un usuario con privilegios de administrador est\u00e1 (o estaba) usando un dispositivo compartido. Los usuarios que hayan iniciado sesi\u00f3n en un dispositivo compartido deben ir a Configuraci\u00f3n &gt; Seguridad y regenerar sus tokens de inicio de sesi\u00f3n. La versi\u00f3n 12.25Q1.1 soluciona el problema. Como workaround, borre las cookies y los datos del sitio en el navegador despu\u00e9s de cerrar sesi\u00f3n. "}], "id": "CVE-2025-24973", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-02-11T16:15:52.020", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/nexryai/concorde/commit/1f6ac9b289906083b132e4f9667a31a60ef83e4e"}, {"source": "security-advisories@github.com", "url": "https://github.com/nexryai/concorde/security/advisories/GHSA-2369-p2wh-7cc2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-613"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"created": "2025-06-17T12:08:35.915519+00:00", "updated": "2025-06-17T12:08:35.915564+00:00", "vendors": ["nexryai", "nexryai$PRODUCT$concorde"]}