Common Weakness Enumeration

CWE-613

Allowed-with-Review

Insufficient Session Expiration

Abstraction: Base · Status: Incomplete

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

876 vulnerabilities reference this CWE, most recent first.

GHSA-4647-M5CG-QGFR

Vulnerability from github – Published: 2026-01-20 18:31 – Updated: 2026-01-20 18:31
VLAI
Details

IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 does not invalidate session after a logout which could allow an authenticated user to impersonate another user on the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36063"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-20T16:16:03Z",
    "severity": "MODERATE"
  },
  "details": "IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 does not invalidate session after a logout which could allow an authenticated user to impersonate another user on the system.",
  "id": "GHSA-4647-m5cg-qgfr",
  "modified": "2026-01-20T18:31:57Z",
  "published": "2026-01-20T18:31:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36063"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7257244"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-465W-GG5P-85C9

Vulnerability from github – Published: 2021-05-18 21:09 – Updated: 2021-05-18 20:45
VLAI
Summary
Insufficient Session Expiration in Kiali
Details

An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/kiali/kiali"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.4.0"
            },
            {
              "fixed": "1.15.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-1762"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295",
      "CWE-384",
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-18T20:45:55Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration.",
  "id": "GHSA-465w-gg5p-85c9",
  "modified": "2021-05-18T20:45:55Z",
  "published": "2021-05-18T21:09:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1762"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kiali/kiali/commit/93f5cd0b6698e8fe8772afb8f35816f6c086aef1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kiali/kiali/commit/c91a0949683976f621cca213c1193831d63b381c"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1810387"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1762"
    },
    {
      "type": "WEB",
      "url": "https://kiali.io/news/security-bulletins/kiali-security-001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insufficient Session Expiration in Kiali"
}

GHSA-4688-8PMG-JW5W

Vulnerability from github – Published: 2025-02-11 12:30 – Updated: 2025-02-11 12:30
VLAI
Details

A vulnerability has been identified in SIMATIC PCS neo V4.0 (All versions), SIMATIC PCS neo V4.1 (All versions < V4.1 Update 2), SIMATIC PCS neo V5.0 (All versions < V5.0 Update 1), SIMOCODE ES V19 (All versions < V19 Update 1), SIRIUS Safety ES V19 (TIA Portal) (All versions < V19 Update 1), SIRIUS Soft Starter ES V19 (TIA Portal) (All versions < V19 Update 1), TIA Administrator (All versions < V3.0.4). Affected products do not correctly invalidate user sessions upon user logout. This could allow a remote unauthenticated attacker, who has obtained the session token by other means, to re-use a legitimate user's session even after logout.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45386"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-11T11:15:13Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been identified in SIMATIC PCS neo V4.0 (All versions), SIMATIC PCS neo V4.1 (All versions \u003c V4.1 Update 2), SIMATIC PCS neo V5.0 (All versions \u003c V5.0 Update 1), SIMOCODE ES V19 (All versions \u003c V19 Update 1), SIRIUS Safety ES V19 (TIA Portal) (All versions \u003c V19 Update 1), SIRIUS Soft Starter ES V19 (TIA Portal) (All versions \u003c V19 Update 1), TIA Administrator (All versions \u003c V3.0.4). Affected products do not correctly invalidate user sessions upon user logout. This could allow a remote unauthenticated attacker, who has obtained the session token by other means, to re-use a legitimate user\u0027s session even after logout.",
  "id": "GHSA-4688-8pmg-jw5w",
  "modified": "2025-02-11T12:30:54Z",
  "published": "2025-02-11T12:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45386"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-342348.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-46MJ-7XPV-PPRW

Vulnerability from github – Published: 2024-04-12 18:33 – Updated: 2024-04-12 18:33
VLAI
Details

IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.20, 7.1 through 7.1.2.16, 7.2 through 7.2.3.9, 7.3 through 7.3.2.4 and IBM DevOps Deploy 8.0 through 8.0.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 280896.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-22358"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-12T17:17:22Z",
    "severity": "MODERATE"
  },
  "details": "IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.20, 7.1 through 7.1.2.16, 7.2 through 7.2.3.9, 7.3 through 7.3.2.4 and IBM DevOps Deploy  8.0 through 8.0.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.  IBM X-Force ID:  280896.",
  "id": "GHSA-46mj-7xpv-pprw",
  "modified": "2024-04-12T18:33:27Z",
  "published": "2024-04-12T18:33:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22358"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/280896"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7148109"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-48RG-3G52-267G

Vulnerability from github – Published: 2026-07-14 21:32 – Updated: 2026-07-14 21:32
VLAI
Details

ColdFusion is affected by an Insufficient Session Expiration vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-48329"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T21:16:59Z",
    "severity": "LOW"
  },
  "details": "ColdFusion is affected by an Insufficient Session Expiration vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction.",
  "id": "GHSA-48rg-3g52-267g",
  "modified": "2026-07-14T21:32:23Z",
  "published": "2026-07-14T21:32:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48329"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/coldfusion/apsb26-82.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4957-H36G-34J9

Vulnerability from github – Published: 2026-07-05 09:30 – Updated: 2026-07-05 09:30
VLAI
Details

A vulnerability was identified in SourceCodester Online Boat Reservation System 1.0. Affected by this vulnerability is an unknown functionality. Such manipulation leads to session expiration. It is possible to launch the attack remotely. The exploit is publicly available and might be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-14725"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-05T08:16:27Z",
    "severity": "LOW"
  },
  "details": "A vulnerability was identified in SourceCodester Online Boat Reservation System 1.0. Affected by this vulnerability is an unknown functionality. Such manipulation leads to session expiration. It is possible to launch the attack remotely. The exploit is publicly available and might be used.",
  "id": "GHSA-4957-h36g-34j9",
  "modified": "2026-07-05T09:30:24Z",
  "published": "2026-07-05T09:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14725"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/@hemantrajbhati5555/improper-session-invalidation-in-online-boat-reservation-system-using-php-acebd53a8ae7"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/cve/CVE-2026-14725"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/847674"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/376311"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/376311/cti"
    },
    {
      "type": "WEB",
      "url": "https://www.sourcecodester.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-4CX2-827F-FP6C

Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33
VLAI
Details

Immuta v2.8.2 is affected by improper session management: user sessions are not revoked upon logout.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-15950"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-05T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Immuta v2.8.2 is affected by improper session management: user sessions are not revoked upon logout.",
  "id": "GHSA-4cx2-827f-fp6c",
  "modified": "2022-05-24T17:33:12Z",
  "published": "2022-05-24T17:33:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15950"
    },
    {
      "type": "WEB",
      "url": "https://labs.bishopfox.com/advisories"
    },
    {
      "type": "WEB",
      "url": "https://labs.bishopfox.com/advisories/immuta-version-2.8.2"
    },
    {
      "type": "WEB",
      "url": "https://www.immuta.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-4CX3-3C38-J9VV

Vulnerability from github – Published: 2026-05-07 02:13 – Updated: 2026-05-29 21:45
VLAI
Summary
katalyst-koi: Session cookies can be replayed after user logout
Details

Impact

Admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the cookie expired or session secrets were rotated.

This affects applications using Koi admin authentication where an admin session cookie may have been exposed, cached, intercepted, or otherwise retained after logout.

Patches

The issue has been patched by recording admin logout time and rejecting any admin session cookie created before the user’s most recent logout.

Users should upgrade to the patched Koi releases once available.

Workarounds

Katalyst Koi recommends upgrading to the latest available version, or back porting the changes released in 5.6.0/4.20.0

Resources

This is an application of https://guides.rubyonrails.org/v5.2.0/security.html#replay-attacks-for-cookiestore-sessions

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "katalyst-koi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.20.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "katalyst-koi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44511"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T02:13:42Z",
    "nvd_published_at": "2026-05-14T17:16:22Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nAdmin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the cookie expired or session secrets were rotated.\n\nThis affects applications using Koi admin authentication where an admin session cookie may have been exposed, cached, intercepted, or otherwise retained after logout.\n\n### Patches\n\nThe issue has been patched by recording admin logout time and rejecting any admin session cookie created before the user\u2019s most recent logout.\n\nUsers should upgrade to the patched Koi releases once available.\n\n### Workarounds\n\nKatalyst Koi recommends upgrading to the latest available version, or back porting the changes released in 5.6.0/4.20.0\n\n### Resources\n\nThis is an application of https://guides.rubyonrails.org/v5.2.0/security.html#replay-attacks-for-cookiestore-sessions",
  "id": "GHSA-4cx3-3c38-j9vv",
  "modified": "2026-05-29T21:45:23Z",
  "published": "2026-05-07T02:13:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/katalyst/koi/security/advisories/GHSA-4cx3-3c38-j9vv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44511"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/katalyst/koi"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/katalyst-koi/CVE-2026-44511.yml"
    },
    {
      "type": "WEB",
      "url": "https://guides.rubyonrails.org/v5.2.0/security.html#replay-attacks-for-cookiestore-sessions"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "katalyst-koi: Session cookies can be replayed after user logout"
}

GHSA-4G47-3FX3-5Q52

Vulnerability from github – Published: 2022-05-24 17:35 – Updated: 2022-05-24 17:35
VLAI
Details

In Lan ATMService M3 ATM Monitoring System 6.1.0, a remote attacker able to use a default cookie value, such as PHPSESSID=LANIT-IMANAGER, can achieve control over the system because of Insufficient Session Expiration.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-29667"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-10T09:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "In Lan ATMService M3 ATM Monitoring System 6.1.0, a remote attacker able to use a default cookie value, such as PHPSESSID=LANIT-IMANAGER, can achieve control over the system because of Insufficient Session Expiration.",
  "id": "GHSA-4g47-3fx3-5q52",
  "modified": "2022-05-24T17:35:58Z",
  "published": "2022-05-24T17:35:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29667"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jet-pentest/CVE-2020-29667"
    },
    {
      "type": "WEB",
      "url": "http://lanatmservice.ru"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-4GQG-M5MW-G8MG

Vulnerability from github – Published: 2022-05-24 16:56 – Updated: 2024-04-04 01:59
VLAI
Details

Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-21018"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-09-22T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.",
  "id": "GHSA-4gqg-m5mw-g8mg",
  "modified": "2024-04-04T01:59:08Z",
  "published": "2022-05-24T16:56:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-21018"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tootsuite/mastodon/pull/9329"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tootsuite/mastodon/pull/9381"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tootsuite/mastodon/releases/tag/v2.6.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tootsuite/mastodon/releases/tag/v2.6.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Set sessions/credentials expiration date.

No CAPEC attack patterns related to this CWE.