Common Weakness Enumeration

CWE-613

Allowed-with-Review

Insufficient Session Expiration

Abstraction: Base · Status: Incomplete

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

875 vulnerabilities reference this CWE, most recent first.

GHSA-J8HM-JP32-F55J

Vulnerability from github – Published: 2022-06-21 00:00 – Updated: 2022-06-29 00:00
VLAI
Details

IBM Curam Social Program Management 8.0.0 and 8.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22318"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-20T17:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "IBM Curam Social Program Management 8.0.0 and 8.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.",
  "id": "GHSA-j8hm-jp32-f55j",
  "modified": "2022-06-29T00:00:57Z",
  "published": "2022-06-21T00:00:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22318"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/218283"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6596049"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J8QV-C9RP-9GQJ

Vulnerability from github – Published: 2022-05-13 01:06 – Updated: 2022-05-13 01:06
VLAI
Details

On Arris Touchstone Telephony Gateway TG1682G 9.1.103J6 devices, a logout action does not immediately destroy all state on the device related to the validity of the "credential" cookie, which might make it easier for attackers to obtain access at a later time (e.g., "at least for a few minutes"). NOTE: there is no documentation stating that the web UI's logout feature was supposed to do anything beyond removing the cookie from one instance of a web browser; a client-side logout action is often not intended to address cases where a person has made a copy of a cookie outside of a browser.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-10990"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-14T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "On Arris Touchstone Telephony Gateway TG1682G 9.1.103J6 devices, a logout action does not immediately destroy all state on the device related to the validity of the \"credential\" cookie, which might make it easier for attackers to obtain access at a later time (e.g., \"at least for a few minutes\"). NOTE: there is no documentation stating that the web UI\u0027s logout feature was supposed to do anything beyond removing the cookie from one instance of a web browser; a client-side logout action is often not intended to address cases where a person has made a copy of a cookie outside of a browser.",
  "id": "GHSA-j8qv-c9rp-9gqj",
  "modified": "2022-05-13T01:06:01Z",
  "published": "2022-05-13T01:06:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10990"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/@AkshaySharmaUS/comcast-arris-touchstone-gateway-devices-are-vulnerable-heres-the-disclosure-7d603aa9342c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JCGV-XJW5-6WP4

Vulnerability from github – Published: 2025-01-04 03:33 – Updated: 2025-01-06 18:31
VLAI
Details

An issue was discovered in Optimizely Configured Commerce before 5.2.2408. A medium-severity session issue exists in the Commerce B2B application, affecting the longevity of active sessions in the storefront. This allows session tokens tied to logged-out sessions to still be active and usable.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-22386"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-04T02:15:07Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Optimizely Configured Commerce before 5.2.2408. A medium-severity session issue exists in the Commerce B2B application, affecting the longevity of active sessions in the storefront. This allows session tokens tied to logged-out sessions to still be active and usable.",
  "id": "GHSA-jcgv-xjw5-6wp4",
  "modified": "2025-01-06T18:31:02Z",
  "published": "2025-01-04T03:33:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22386"
    },
    {
      "type": "WEB",
      "url": "https://support.optimizely.com/hc/en-us/articles/32695284701069-Configured-Commerce-Security-Advisory-COM-2024-04"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JCJX-C3J3-44PR

Vulnerability from github – Published: 2021-11-10 16:44 – Updated: 2021-11-08 21:09
VLAI
Summary
Insufficient Session Expiration in @cyyynthia/tokenize
Details

Impact

A bug introduced in version 1.1.0 made Tokenize generate faulty tokens with NaN as a generation date. As a result, tokens would not properly expire and remain valid regardless of the lastTokenReset field.

Patches

Version 1.1.3 contains a patch that'll invalidate these faulty tokens and make new ones behave as expected.

Workarounds

None. Tokens do not hold the necessary information to perform invalidation anymore.

References

PR #1

For more information

If you have any questions or comments about this advisory: * Open an issue in github.com/cyyynthia/tokenize * Email us at cynthia@cynthia.dev

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@cyyynthia/tokenize"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1.0"
            },
            {
              "fixed": "1.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-08T21:09:02Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\nA bug introduced in version 1.1.0 made Tokenize generate faulty tokens with NaN as a generation date. As a result, tokens would not properly expire and remain valid regardless of the `lastTokenReset` field.\n\n### Patches\nVersion 1.1.3 contains a patch that\u0027ll invalidate these faulty tokens and make new ones behave as expected.\n\n### Workarounds\nNone. Tokens do not hold the necessary information to perform invalidation anymore.\n\n### References\nPR #1\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [github.com/cyyynthia/tokenize](https://github.com/cyyynthia/tokenize)\n* Email us at [cynthia@cynthia.dev](mailto:cynthia@cynthia.dev)\n",
  "id": "GHSA-jcjx-c3j3-44pr",
  "modified": "2021-11-08T21:09:02Z",
  "published": "2021-11-10T16:44:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cyyynthia/tokenize/security/advisories/GHSA-jcjx-c3j3-44pr"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cyyynthia/tokenize"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Insufficient Session Expiration in @cyyynthia/tokenize"
}

GHSA-JG95-R9XH-XW9C

Vulnerability from github – Published: 2024-08-23 21:30 – Updated: 2025-10-13 15:45
VLAI
Summary
Mage AI incorrectly gives privileges to users with deleted accounts
Details

Guest users in the Mage AI framework that remain logged in after their accounts are deleted, are mistakenly given high privileges and specifically given access to remotely execute arbitrary code through the Mage AI terminal server.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mage-ai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.9.73"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-45187"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266",
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-23T22:51:28Z",
    "nvd_published_at": "2024-08-23T19:15:07Z",
    "severity": "MODERATE"
  },
  "details": "Guest users in the Mage AI framework that remain logged in after their accounts are deleted, are mistakenly given high privileges and specifically given access to remotely execute arbitrary code through the Mage AI terminal server.",
  "id": "GHSA-jg95-r9xh-xw9c",
  "modified": "2025-10-13T15:45:48Z",
  "published": "2024-08-23T21:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45187"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mage-ai/mage-ai"
    },
    {
      "type": "WEB",
      "url": "https://research.jfrog.com/vulnerabilities/mage-ai-deleted-users-rce-jfsa-2024-001039602"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Mage AI incorrectly gives privileges to users with deleted accounts"
}

GHSA-JG98-XFVF-7PVV

Vulnerability from github – Published: 2021-12-30 00:00 – Updated: 2022-01-12 00:02
VLAI
Details

An issue was discovered in Stormshield Network Security (SNS) 4.2.2 through 4.2.7 (fixed in 4.2.8). Under a specific update-migration scenario, the first SSH password change does not properly clear the old password.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-45885"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-29T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Stormshield Network Security (SNS) 4.2.2 through 4.2.7 (fixed in 4.2.8). Under a specific update-migration scenario, the first SSH password change does not properly clear the old password.",
  "id": "GHSA-jg98-xfvf-7pvv",
  "modified": "2022-01-12T00:02:13Z",
  "published": "2021-12-30T00:00:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45885"
    },
    {
      "type": "WEB",
      "url": "https://advisories.stormshield.eu"
    },
    {
      "type": "WEB",
      "url": "https://advisories.stormshield.eu/2021-069"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-JJX8-FGCM-MHJX

Vulnerability from github – Published: 2024-10-07 18:31 – Updated: 2024-11-05 00:31
VLAI
Details

IoT Haat Smart Plug IH-IN-16A-S IH-IN-16A-S v5.16.1 suffers from Insufficient Session Expiration. The lack of validation of the authentication token at the IoT Haat during the Access Point Pairing mode leads the attacker to replay the Wi-Fi packets and forcefully turn off the access point after the authentication token has expired.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-46040"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-07T16:15:05Z",
    "severity": "MODERATE"
  },
  "details": "IoT Haat Smart Plug IH-IN-16A-S IH-IN-16A-S v5.16.1 suffers from Insufficient Session Expiration. The lack of validation of the authentication token at the IoT Haat during the Access Point Pairing mode leads the attacker to replay the Wi-Fi packets and forcefully turn off the access point after the authentication token has expired.",
  "id": "GHSA-jjx8-fgcm-mhjx",
  "modified": "2024-11-05T00:31:27Z",
  "published": "2024-10-07T18:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46040"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Anonymous120386/Anonymous"
    },
    {
      "type": "WEB",
      "url": "https://www.iothaat.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JM72-67RM-763J

Vulnerability from github – Published: 2022-04-21 01:54 – Updated: 2025-06-09 17:48
VLAI
Summary
MantisBT Insufficient Session Expiration cookie string not reset after logout
Details

An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login as them.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.24.4"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "mantisbt/mantisbt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.24.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2009-20001"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-28T23:02:24Z",
    "nvd_published_at": "2021-03-07T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user\u0027s cookie to login as them.",
  "id": "GHSA-jm72-67rm-763j",
  "modified": "2025-06-09T17:48:33Z",
  "published": "2022-04-21T01:54:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-20001"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mantisbt/mantisbt/commit/79a78c09d5ef5ce098adc73f6f1416f00fc238a5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mantisbt/mantisbt"
    },
    {
      "type": "WEB",
      "url": "https://mantisbt.org/bugs/view.php?id=11296"
    },
    {
      "type": "WEB",
      "url": "https://mantisbt.org/bugs/view.php?id=27976"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "MantisBT Insufficient Session Expiration cookie string not reset after logout"
}

GHSA-JP3H-X882-5CRH

Vulnerability from github – Published: 2022-07-13 00:01 – Updated: 2022-07-16 00:00
VLAI
Details

A vulnerability has been identified in SIMATIC MV540 H (All versions < V3.3), SIMATIC MV540 S (All versions < V3.3), SIMATIC MV550 H (All versions < V3.3), SIMATIC MV550 S (All versions < V3.3), SIMATIC MV560 U (All versions < V3.3), SIMATIC MV560 X (All versions < V3.3). The web session management of affected devices does not invalidate session ids in certain logout scenarios. This could allow an authenticated remote attacker to hijack other users' sessions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-33137"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-12T10:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been identified in SIMATIC MV540 H (All versions \u003c V3.3), SIMATIC MV540 S (All versions \u003c V3.3), SIMATIC MV550 H (All versions \u003c V3.3), SIMATIC MV550 S (All versions \u003c V3.3), SIMATIC MV560 U (All versions \u003c V3.3), SIMATIC MV560 X (All versions \u003c V3.3). The web session management of affected devices does not invalidate session ids in certain logout scenarios. This could allow an authenticated remote attacker to hijack other users\u0027 sessions.",
  "id": "GHSA-jp3h-x882-5crh",
  "modified": "2022-07-16T00:00:23Z",
  "published": "2022-07-13T00:01:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33137"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-348662.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JP9R-HWVP-X6C8

Vulnerability from github – Published: 2026-03-02 03:30 – Updated: 2026-03-02 03:30
VLAI
Details

A weakness has been identified in SourceCodester Web-based Pharmacy Product Management System 1.0. This affects an unknown part. This manipulation causes session expiration. Remote exploitation of the attack is possible. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit has been made available to the public and could be used for attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-3401"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-02T01:16:02Z",
    "severity": "LOW"
  },
  "details": "A weakness has been identified in SourceCodester Web-based Pharmacy Product Management System 1.0. This affects an unknown part. This manipulation causes session expiration. Remote exploitation of the attack is possible. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit has been made available to the public and could be used for attacks.",
  "id": "GHSA-jp9r-hwvp-x6c8",
  "modified": "2026-03-02T03:30:20Z",
  "published": "2026-03-02T03:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3401"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hiranerakkot/Web-based-Pharmacy-Product-Management-System/blob/main/README.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.348296"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.348296"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.762795"
    },
    {
      "type": "WEB",
      "url": "https://www.sourcecodester.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Implementation

Set sessions/credentials expiration date.

No CAPEC attack patterns related to this CWE.