CWE-613
Allowed-with-ReviewInsufficient Session Expiration
Abstraction: Base · Status: Incomplete
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
875 vulnerabilities reference this CWE, most recent first.
GHSA-P38C-8PG2-FQX5
Vulnerability from github – Published: 2024-07-30 18:32 – Updated: 2024-07-30 18:32IBM Aspera Orchestrator 4.0.1 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 248477.
{
"affected": [],
"aliases": [
"CVE-2023-26288"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-30T17:15:11Z",
"severity": "MODERATE"
},
"details": "IBM Aspera Orchestrator 4.0.1 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 248477.",
"id": "GHSA-p38c-8pg2-fqx5",
"modified": "2024-07-30T18:32:06Z",
"published": "2024-07-30T18:32:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26288"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/248477"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7161538"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-P437-2C77-84P4
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-05-24 22:28In ArangoDB, versions v3.7.6 through v3.8.3 are vulnerable to Insufficient Session Expiration. When a user’s password is changed by the administrator, the session isn’t invalidated, allowing a malicious user to still be logged in and perform arbitrary actions within the system.
{
"affected": [],
"aliases": [
"CVE-2021-25940"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-16T10:15:00Z",
"severity": "HIGH"
},
"details": "In ArangoDB, versions v3.7.6 through v3.8.3 are vulnerable to Insufficient Session Expiration. When a user\u2019s password is changed by the administrator, the session isn\u2019t invalidated, allowing a malicious user to still be logged in and perform arbitrary actions within the system.",
"id": "GHSA-p437-2c77-84p4",
"modified": "2022-05-24T22:28:49Z",
"published": "2022-05-24T22:28:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25940"
},
{
"type": "WEB",
"url": "https://github.com/arangodb/arangodb/commit/e9c6ee9dcca7b9b4fbcd02a0b323d205bee838d3"
},
{
"type": "WEB",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25940"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-P45M-MV49-39FW
Vulnerability from github – Published: 2023-02-11 03:32 – Updated: 2023-02-21 18:30SupportAssist for Home PCs (versions 3.11.4 and prior) contain an insufficient session expiration Vulnerability. An authenticated non-admin user can be able to obtain the refresh token and that leads to reuse the access token and fetch sensitive information.
{
"affected": [],
"aliases": [
"CVE-2022-34392"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-11T01:23:00Z",
"severity": "MODERATE"
},
"details": "SupportAssist for Home PCs (versions 3.11.4 and prior) contain an insufficient session expiration Vulnerability. An authenticated non-admin user can be able to obtain the refresh token and that leads to reuse the access token and fetch sensitive information.",
"id": "GHSA-p45m-mv49-39fw",
"modified": "2023-02-21T18:30:24Z",
"published": "2023-02-11T03:32:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34392"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/000204114"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P523-JRPH-QJC6
Vulnerability from github – Published: 2022-01-06 23:49 – Updated: 2022-01-06 20:17Impact
Automatically invalidate sessions upon password change
Patches
We recommend updating to the current version 5.7.7. You can get the update to 5.7.7 regularly via the Auto-Updater or directly via the download overview.
For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html
References
https://docs.shopware.com/en/shopware-5-en/securityupdates/security-update-01-2022
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "shopware/shopware"
},
"ranges": [
{
"events": [
{
"introduced": "5.7.3"
},
{
"fixed": "5.7.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-21652"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2022-01-06T20:17:22Z",
"nvd_published_at": "2022-01-05T20:15:00Z",
"severity": "LOW"
},
"details": "### Impact\n\nAutomatically invalidate sessions upon password change\n\n### Patches\n\nWe recommend updating to the current version 5.7.7. You can get the update to 5.7.7 regularly via the Auto-Updater or directly via the download overview.\n\nFor older versions you can use the Security Plugin:\nhttps://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html\n\n### References\n\nhttps://docs.shopware.com/en/shopware-5-en/securityupdates/security-update-01-2022\n",
"id": "GHSA-p523-jrph-qjc6",
"modified": "2022-01-06T20:17:22Z",
"published": "2022-01-06T23:49:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/shopware/shopware/security/advisories/GHSA-p523-jrph-qjc6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21652"
},
{
"type": "WEB",
"url": "https://github.com/shopware/shopware/commit/47ebd126a94f4b019b6fde64c0df3d18d74ef7d0"
},
{
"type": "WEB",
"url": "https://docs.shopware.com/en/shopware-5-en/securityupdates/security-update-01-2022"
},
{
"type": "PACKAGE",
"url": "https://github.com/shopware/shopware"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Insufficient Session Expiration in shopware"
}
GHSA-P594-WH4R-V877
Vulnerability from github – Published: 2024-03-14 15:34 – Updated: 2024-03-14 15:34Insufficient session timeout vulnerability in the FAST3686 V2 Vodafone router from Sagemcom. This vulnerability could allow a local attacker to access the administration panel without requiring login credentials. This vulnerability is possible because the 'Login.asp and logout.asp' files do not handle session details correctly.
{
"affected": [],
"aliases": [
"CVE-2024-1623"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-14T13:15:53Z",
"severity": "HIGH"
},
"details": "Insufficient session timeout vulnerability in the FAST3686 V2 Vodafone router from Sagemcom. This vulnerability could allow a local attacker to access the administration panel without requiring login credentials. This vulnerability is possible because the \u0027Login.asp and logout.asp\u0027 files do not handle session details correctly.",
"id": "GHSA-p594-wh4r-v877",
"modified": "2024-03-14T15:34:06Z",
"published": "2024-03-14T15:34:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1623"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/insufficient-session-timeout-vulnerability-sagemcom-router"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P68J-Q8J9-JWF5
Vulnerability from github – Published: 2026-06-13 00:34 – Updated: 2026-06-13 00:34OpenClaw before 2026.4.22 contains a webhook secret revocation bypass vulnerability allowing callers with old Slack and Zalo webhook secrets to remain active after secrets.reload. Attackers can exploit the stale-secret window to deliver webhook events after operator-expected secret revocation, potentially accepting previous credentials.
{
"affected": [],
"aliases": [
"CVE-2026-53830"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-12T22:16:54Z",
"severity": "MODERATE"
},
"details": "OpenClaw before 2026.4.22 contains a webhook secret revocation bypass vulnerability allowing callers with old Slack and Zalo webhook secrets to remain active after secrets.reload. Attackers can exploit the stale-secret window to deliver webhook events after operator-expected secret revocation, potentially accepting previous credentials.",
"id": "GHSA-p68j-q8j9-jwf5",
"modified": "2026-06-13T00:34:32Z",
"published": "2026-06-13T00:34:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-275c-xpvc-jgfw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53830"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-webhook-secret-revocation-bypass-via-secrets-reload"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-P7MX-FRQJ-J9HQ
Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36Exploitation of session variables, resource IDs and other trusted credentials vulnerability in the web interface in McAfee Network Security Management (NSM) before 8.2.7.42.2 allows remote attackers to exploit or harm a user's browser via reusing the exposed session token in the application URL.
{
"affected": [],
"aliases": [
"CVE-2017-3966"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-04T13:29:00Z",
"severity": "MODERATE"
},
"details": "Exploitation of session variables, resource IDs and other trusted credentials vulnerability in the web interface in McAfee Network Security Management (NSM) before 8.2.7.42.2 allows remote attackers to exploit or harm a user\u0027s browser via reusing the exposed session token in the application URL.",
"id": "GHSA-p7mx-frqj-j9hq",
"modified": "2022-05-13T01:36:40Z",
"published": "2022-05-13T01:36:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3966"
},
{
"type": "WEB",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10192"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-PC62-V6R5-973X
Vulnerability from github – Published: 2025-12-31 00:31 – Updated: 2025-12-31 00:31SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain an insufficient session expiration vulnerability that allows attackers to reuse old session credentials. Attackers can exploit weak session management to potentially hijack active user sessions and gain unauthorized access to the application.
{
"affected": [],
"aliases": [
"CVE-2022-50692"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-30T23:15:44Z",
"severity": "MODERATE"
},
"details": "SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain an insufficient session expiration vulnerability that allows attackers to reuse old session credentials. Attackers can exploit weak session management to potentially hijack active user sessions and gain unauthorized access to the application.",
"id": "GHSA-pc62-v6r5-973x",
"modified": "2025-12-31T00:31:10Z",
"published": "2025-12-31T00:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50692"
},
{
"type": "WEB",
"url": "https://cxsecurity.com/issue/WLB-2022120030"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/247956"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/170251/SOUND4-IMPACT-FIRST-PULSE-Eco-2.x-Insufficient-Session-Expiration.html"
},
{
"type": "WEB",
"url": "https://www.sound4.com"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/sound-impactfirstpulseeco-x-insufficient-session-expiration-vulnerability"
},
{
"type": "WEB",
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5724.php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-PF92-7X8P-6X5M
Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-05-24 17:44A vulnerability was found in the Quay web application. Sessions in the Quay web application never expire. An attacker, able to gain access to a session, could use it to control or delete a user's container repository. Red Hat Quay 2 and 3 are vulnerable to this issue.
{
"affected": [],
"aliases": [
"CVE-2019-3867"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-18T19:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in the Quay web application. Sessions in the Quay web application never expire. An attacker, able to gain access to a session, could use it to control or delete a user\u0027s container repository. Red Hat Quay 2 and 3 are vulnerable to this issue.",
"id": "GHSA-pf92-7x8p-6x5m",
"modified": "2022-05-24T17:44:46Z",
"published": "2022-05-24T17:44:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3867"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1772704"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-PGPR-4M7F-52MM
Vulnerability from github – Published: 2022-01-14 00:02 – Updated: 2022-02-03 00:00In Mattermost Focalboard, versions prior to v0.7.5, v0.8.4, v0.9.5, v0.10.1 and v0.11.0-rc1; as used respectively in Mattermost, versions prior to v5.37.6, v5.39.3, v6.0.4, v6.1.1 and v6.2.0, are vulnerable to Insufficient Session Expiration. When a user initiates a logout, their session is not invalidated properly. In addition, user sessions are stored in the browser’s local storage, which by default does not have an expiration time. This makes it possible for an attacker to steal and reuse the cookies using techniques such as XSS attacks, to completely take over a victim account.
{
"affected": [],
"aliases": [
"CVE-2022-22122"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-13T17:15:00Z",
"severity": "CRITICAL"
},
"details": "In Mattermost Focalboard, versions prior to v0.7.5, v0.8.4, v0.9.5, v0.10.1 and v0.11.0-rc1; as used respectively in Mattermost, versions prior to v5.37.6, v5.39.3, v6.0.4, v6.1.1 and v6.2.0, are vulnerable to Insufficient Session Expiration. When a user initiates a logout, their session is not invalidated properly. In addition, user sessions are stored in the browser\u2019s local storage, which by default does not have an expiration time. This makes it possible for an attacker to steal and reuse the cookies using techniques such as XSS attacks, to completely take over a victim account.",
"id": "GHSA-pgpr-4m7f-52mm",
"modified": "2022-02-03T00:00:50Z",
"published": "2022-01-14T00:02:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22122"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/focalboard/commit/0142c114e9325722d6c8e8ca00f10f0f34dd0409"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/focalboard/commit/0ebc9a4be110764a2510bf886531f21e21b079ea"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/focalboard/commit/2f08c6782762e58e008bd50f3892cb1cdd1be539"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/focalboard/commit/6104de5ba51f79d749b9d5406fde5c2983fc5c5c"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/focalboard/commit/87f4dd224c8736778a8f23788a92471b11da9061"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/focalboard/commit/a2fab2c1d9b3f61871f6da4dc434a2b19ca9552c"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost-server/commit/0a042ca05fefa0584045bab1b7dae102360c98c5"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost-server/commit/5f7fd34956ad5bf7e3697a920e377e11c16dda06"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost-server/commit/6a4c881450973284c3ed98f39bde4809ddd8a758"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost-server/commit/74e87ec3e623202a9654ae164e834cfe26dd6ec3"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost-server/commit/7bc182de9eebb708d62b828213144a1aa4560fa0"
},
{
"type": "WEB",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22122"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.