Common Weakness Enumeration

CWE-613

Allowed-with-Review

Insufficient Session Expiration

Abstraction: Base · Status: Incomplete

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

876 vulnerabilities reference this CWE, most recent first.

GHSA-9P5P-94M7-4MP9

Vulnerability from github – Published: 2024-09-18 12:31 – Updated: 2024-09-18 12:31
VLAI
Details

An attacker with access to the network where CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could steal the tokens used on the web, since these have no expiration date to access the web application without restrictions. Token theft can originate from different methods such as network captures, locally stored web information, etc.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-8888"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-18T12:15:03Z",
    "severity": "CRITICAL"
  },
  "details": "An attacker with access to the network where CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could steal the tokens used on the web, since these have no expiration date to access the web application without restrictions. Token theft can originate from different methods such as network captures, locally stored web information, etc.",
  "id": "GHSA-9p5p-94m7-4mp9",
  "modified": "2024-09-18T12:31:32Z",
  "published": "2024-09-18T12:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8888"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9Q24-C9H6-H244

Vulnerability from github – Published: 2025-01-09 21:31 – Updated: 2025-01-10 18:31
VLAI
Details

Insufficient Session Expiration vulnerability in Drupal Persistent Login allows Forceful Browsing.This issue affects Persistent Login: from 0.0.0 before 1.8.0, from 2.0.* before 2.2.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13280"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-09T20:15:36Z",
    "severity": "CRITICAL"
  },
  "details": "Insufficient Session Expiration vulnerability in Drupal Persistent Login allows Forceful Browsing.This issue affects Persistent Login: from 0.0.0 before 1.8.0, from 2.0.* before 2.2.2.",
  "id": "GHSA-9q24-c9h6-h244",
  "modified": "2025-01-10T18:31:40Z",
  "published": "2025-01-09T21:31:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13280"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2024-044"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9Q4H-7J59-Q25X

Vulnerability from github – Published: 2024-10-11 18:32 – Updated: 2024-10-12 00:30
VLAI
Details

An issue in sbondCo Watcharr v.1.43.0 allows a remote attacker to execute arbitrary code and escalate privileges via the Change Password function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-48827"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-11T16:15:13Z",
    "severity": "HIGH"
  },
  "details": "An issue in sbondCo Watcharr v.1.43.0 allows a remote attacker to execute arbitrary code and escalate privileges via the Change Password function.",
  "id": "GHSA-9q4h-7j59-q25x",
  "modified": "2024-10-12T00:30:47Z",
  "published": "2024-10-11T18:32:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48827"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sbondCo/Watcharr"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sbondCo/Watcharr/releases/tag/v1.43.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yamerooo123/CVE/blob/main/CVE-2024-48827/Description.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9Q94-V7CH-MXQW

Vulnerability from github – Published: 2021-08-02 17:35 – Updated: 2021-05-25 20:12
VLAI
Summary
Insufficient Session Expiration and TOCTOU Race Condition in OPC FOundation UA .Net Standard
Details

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of OPC Foundation UA .NET Standard 1.04.358.30. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of sessions. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to create a denial-of-service condition against the application. Was ZDI-CAN-10295.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.4.358.30"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "OPCFoundation.NetStandard.Opc.Ua"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.359.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-8867"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-367",
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-25T20:12:12Z",
    "nvd_published_at": "2020-04-22T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of OPC Foundation UA .NET Standard 1.04.358.30. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of sessions. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to create a denial-of-service condition against the application. Was ZDI-CAN-10295.",
  "id": "GHSA-9q94-v7ch-mxqw",
  "modified": "2021-05-25T20:12:12Z",
  "published": "2021-08-02T17:35:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8867"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OPCFoundation/UA-.NETStandard/releases/tag/1.4.359.31"
    },
    {
      "type": "WEB",
      "url": "https://opcfoundation.org/SecurityBulletins/OPC%20Foundation%20Security%20Bulletin%20CVE-2020-8867.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-536"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insufficient Session Expiration and TOCTOU Race Condition in OPC FOundation UA .Net Standard"
}

GHSA-9R58-7QGH-QJQ2

Vulnerability from github – Published: 2025-04-14 15:31 – Updated: 2025-04-14 15:31
VLAI
Details

IBM Robotic Process Automation and Robotic Process Automation for Cloud Pak 21.0.0 through 21.0.7.20 and 23.0.0 through 23.0.20 does not invalidate session after a logout which could allow an authenticated user to impersonate another user on the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-49825"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-14T15:15:23Z",
    "severity": "MODERATE"
  },
  "details": "IBM Robotic Process Automation and Robotic Process Automation for Cloud Pak 21.0.0 through 21.0.7.20 and 23.0.0 through 23.0.20 does not invalidate session after a logout which could allow an authenticated user to impersonate another user on the system.",
  "id": "GHSA-9r58-7qgh-qjq2",
  "modified": "2025-04-14T15:31:59Z",
  "published": "2025-04-14T15:31:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49825"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7230848"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9RFX-MM7M-3CG2

Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-05-24 19:16
VLAI
Details

Laravel Booking System Booking Core 2.0 is vulnerable to Session Management. A password change at sandbox.bookingcore.org/user/profile/change-password does not invalidate a session that is opened in a different browser.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-37333"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-04T14:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Laravel Booking System Booking Core 2.0 is vulnerable to Session Management. A password change at sandbox.bookingcore.org/user/profile/change-password does not invalidate a session that is opened in a different browser.",
  "id": "GHSA-9rfx-mm7m-3cg2",
  "modified": "2022-05-24T19:16:29Z",
  "published": "2022-05-24T19:16:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37333"
    },
    {
      "type": "WEB",
      "url": "https://www.navidkagalwalla.com/booking-core-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-9RPJ-R444-XVP8

Vulnerability from github – Published: 2023-08-08 09:30 – Updated: 2024-04-04 06:37
VLAI
Details

This vulnerability exists in ESDS Emagic Data Center Management Suit due to non-expiry of session cookie. By reusing the stolen cookie, a remote attacker could gain unauthorized access to the targeted system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-37570"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-08T09:15:10Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability exists in ESDS Emagic Data Center Management Suit due to non-expiry of session cookie. \nBy reusing the stolen cookie, a remote attacker could gain unauthorized access to the targeted system.\n",
  "id": "GHSA-9rpj-r444-xvp8",
  "modified": "2024-04-04T06:37:47Z",
  "published": "2023-08-08T09:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37570"
    },
    {
      "type": "WEB",
      "url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2023-0226"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9V5V-3JHC-PFFJ

Vulnerability from github – Published: 2025-05-11 03:30 – Updated: 2026-05-27 15:32
VLAI
Details

A vulnerability was found in Dígitro NGC Explorer up to 3.44.15 and classified as problematic. This issue affects some unknown processing. The manipulation leads to session expiration. The attack may be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-4528"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-11T03:15:24Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in D\u00edgitro NGC Explorer up to 3.44.15 and classified as problematic. This issue affects some unknown processing. The manipulation leads to session expiration. The attack may be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-9v5v-3jhc-pffj",
  "modified": "2026-05-27T15:32:59Z",
  "published": "2025-05-11T03:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4528"
    },
    {
      "type": "WEB",
      "url": "https://digitro.com/recomendacao-10-2026-ctir-gov"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.308273"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.308273"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.565309"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/565309"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/308273"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/308273/cti"
    },
    {
      "type": "WEB",
      "url": "https://www.gov.br/ctir/pt-br/assuntos/alertas-e-recomendacoes/recomendacoes/2026/recomendacao-10-2026"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9WWP-Q7WQ-JX35

Vulnerability from github – Published: 2024-04-10 17:15 – Updated: 2024-04-11 14:31
VLAI
Summary
@fastify/secure-session: Reuse of destroyed secure session cookie
Details

Impact

At the end of the request handling, it will encrypt all data in the session with a secret key and attach the ciphertext as a cookie value with the defined cookie name. After that, the session on the server side is destroyed. When an encrypted cookie with matching session name is provided with subsequent requests, it will decrypt the ciphertext to get the data. The plugin then creates a new session with the data in the ciphertext. Thus theoretically the web instance is still accessing the data from a server-side session, but technically that session is generated solely from a user provided cookie (which is assumed to be non-craftable because it is encrypted with a secret key not known to the user).

The issue exists in the session removal process. In the delete function of the code, when the session is deleted, it is marked for deletion. However, if an attacker could gain access to the cookie, they could keep using it forever.

Patches

Fixed in 56d66642ecc633cff0606927601e81cdac361370. Update to v7.3.0.

Workarounds

Include a "last update" field in the session, and treat "old sessions" as expired. Make sure to configure your cookie as "http only".

References

  • https://hackerone.com/reports/2374253
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@fastify/secure-session"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-31999"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-10T17:15:50Z",
    "nvd_published_at": "2024-04-10T22:15:07Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nAt the end of the request handling, it will encrypt all data in the session with a secret key and attach the ciphertext as a cookie value with the defined cookie name. After that, the session on the server side is destroyed. When an encrypted cookie with matching session name is provided with subsequent requests, it will decrypt the ciphertext to get the data. The plugin then creates a new session with the data in the ciphertext. Thus theoretically the web instance is still accessing the data from a server-side session, but technically that session is generated solely from a user provided cookie (which is assumed to be non-craftable because it is encrypted with a secret key not known to the user).\n\nThe issue exists in the session removal process. In the delete function of the code, when the session is deleted, it is marked for deletion. However, if an attacker could gain access to the cookie, they could keep using it forever.\n\n### Patches\n\nFixed in 56d66642ecc633cff0606927601e81cdac361370.\nUpdate to v7.3.0.\n\n### Workarounds\n\nInclude a \"last update\" field in the session, and treat \"old sessions\" as expired. \nMake sure to configure your cookie as \"http only\".\n\n### References\n\n* https://hackerone.com/reports/2374253\n",
  "id": "GHSA-9wwp-q7wq-jx35",
  "modified": "2024-04-11T14:31:13Z",
  "published": "2024-04-10T17:15:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fastify/fastify-secure-session/security/advisories/GHSA-9wwp-q7wq-jx35"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31999"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fastify/fastify-secure-session/commit/56d66642ecc633cff0606927601e81cdac361370"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fastify/fastify-secure-session"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@fastify/secure-session: Reuse of destroyed secure session cookie"
}

GHSA-C2HR-FWVR-RXJM

Vulnerability from github – Published: 2023-11-01 03:30 – Updated: 2023-11-01 03:30
VLAI
Details

Insufficient Session Expiration in GitHub repository pkp/pkp-lib prior to 3.3.0-16.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-5889"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-01T01:15:07Z",
    "severity": "MODERATE"
  },
  "details": "Insufficient Session Expiration in GitHub repository pkp/pkp-lib prior to 3.3.0-16.",
  "id": "GHSA-c2hr-fwvr-rxjm",
  "modified": "2023-11-01T03:30:58Z",
  "published": "2023-11-01T03:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5889"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pkp/pkp-lib/commit/32d071ef2090fc336bc17d56a86d1dff90c26f0b"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/fba2991a-1b8a-4c89-9689-d708526928e1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Set sessions/credentials expiration date.

No CAPEC attack patterns related to this CWE.