CWE-613
Allowed-with-ReviewInsufficient Session Expiration
Abstraction: Base · Status: Incomplete
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
874 vulnerabilities reference this CWE, most recent first.
GHSA-RV9X-WMW4-44QJ
Vulnerability from github – Published: 2023-01-12 03:30 – Updated: 2023-01-20 16:54Pyload 0.5.0b3.dev35 has an Insufficient Session Expiration vulnerability. A patch is available and anticipated to be part of version 0.5.0b3.dev36.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.5.0b3.dev35"
},
"package": {
"ecosystem": "PyPI",
"name": "pyload-ng"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.0b3.dev36"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-0227"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-12T20:54:01Z",
"nvd_published_at": "2023-01-12T01:15:00Z",
"severity": "MODERATE"
},
"details": "Pyload 0.5.0b3.dev35 has an Insufficient Session Expiration vulnerability. A patch is available and anticipated to be part of version 0.5.0b3.dev36.",
"id": "GHSA-rv9x-wmw4-44qj",
"modified": "2023-01-20T16:54:17Z",
"published": "2023-01-12T03:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0227"
},
{
"type": "WEB",
"url": "https://github.com/pyload/pyload/commit/c035714c0596b704b11af0f8a669352f128ad2d9"
},
{
"type": "PACKAGE",
"url": "https://github.com/pyload/pyload"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/af3101d7-fea6-463a-b7e4-a48be219e31b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Pyload Insufficient Session Expiration vulnerability"
}
GHSA-RVM5-9PV9-2RRC
Vulnerability from github – Published: 2025-04-18 15:31 – Updated: 2025-04-18 15:31IBM Sterling Connect:Direct Web Services 6.1.0, 6.2.0, and 6.3.0
does not invalidate session after a browser closure which could allow an authenticated user to impersonate another user on the system.
{
"affected": [],
"aliases": [
"CVE-2024-45651"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-18T11:15:44Z",
"severity": "MODERATE"
},
"details": "IBM Sterling Connect:Direct Web Services 6.1.0, 6.2.0, and 6.3.0 \n\ndoes not invalidate session after a browser closure which could allow an authenticated user to impersonate another user on the system.",
"id": "GHSA-rvm5-9pv9-2rrc",
"modified": "2025-04-18T15:31:38Z",
"published": "2025-04-18T15:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45651"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7231178"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-RVW7-WX4G-RQ78
Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-05-26 13:30Insufficient session expiration vulnerability in syslink software AG Avantra on Linux, Windows allows Reusing Session IDs (aka Session Replay).
This issue affects Avantra: before 25.3.1.
{
"affected": [],
"aliases": [
"CVE-2026-8670"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-22T14:16:29Z",
"severity": "CRITICAL"
},
"details": "Insufficient session expiration vulnerability in syslink software AG Avantra on Linux, Windows allows Reusing Session IDs (aka Session Replay).\n\nThis issue affects Avantra: before 25.3.1.",
"id": "GHSA-rvw7-wx4g-rq78",
"modified": "2026-05-26T13:30:17Z",
"published": "2026-05-26T13:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8670"
},
{
"type": "WEB",
"url": "https://support.avantra.com/hc/en-us/articles/5533929912351"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RW8H-4H76-H2MX
Vulnerability from github – Published: 2025-04-18 18:31 – Updated: 2025-04-22 15:30An access control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows deleted users to retain access to system resources due to improper session invalidation and stale token handling. When an administrator deletes a user account, the backend fails to terminate active sessions and revoke associated API tokens, enabling unauthorized access to restricted functions.
{
"affected": [],
"aliases": [
"CVE-2025-28059"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-18T17:15:34Z",
"severity": "HIGH"
},
"details": "An access control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows deleted users to retain access to system resources due to improper session invalidation and stale token handling. When an administrator deletes a user account, the backend fails to terminate active sessions and revoke associated API tokens, enabling unauthorized access to restricted functions.",
"id": "GHSA-rw8h-4h76-h2mx",
"modified": "2025-04-22T15:30:51Z",
"published": "2025-04-18T18:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-28059"
},
{
"type": "WEB",
"url": "https://github.com/aakashtyal/Residual-Data-Access-Post-User-Deletion-in-Nagios-Network-Analyzer-Version-2024R1"
},
{
"type": "WEB",
"url": "https://www.nagios.com/changelog/#network-analyze"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RX2F-PJ28-88G5
Vulnerability from github – Published: 2022-11-04 12:00 – Updated: 2022-11-04 19:01"IBM MQ Appliance 9.2 CD, 9.2 LTS, 9.3 CD, and LTS 9.3 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235532."
{
"affected": [],
"aliases": [
"CVE-2022-40230"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-03T20:15:00Z",
"severity": "MODERATE"
},
"details": "\"IBM MQ Appliance 9.2 CD, 9.2 LTS, 9.3 CD, and LTS 9.3 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235532.\"",
"id": "GHSA-rx2f-pj28-88g5",
"modified": "2022-11-04T19:01:11Z",
"published": "2022-11-04T12:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40230"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6622051"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RX9C-4X6J-XM83
Vulnerability from github – Published: 2022-05-18 00:00 – Updated: 2022-05-26 00:01A remote authorization bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-23669"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-17T18:15:00Z",
"severity": "HIGH"
},
"details": "A remote authorization bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability.",
"id": "GHSA-rx9c-4x6j-xm83",
"modified": "2022-05-26T00:01:11Z",
"published": "2022-05-18T00:00:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23669"
},
{
"type": "WEB",
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-007.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V2X8-2RV7-79J3
Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-05-24 19:16The IceHrm 30.0.0 OS website was found vulnerable to Session Management Issue. A signout from an admin account does not invalidate an admin session that is opened in a different browser.
{
"affected": [],
"aliases": [
"CVE-2021-38823"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-04T14:15:00Z",
"severity": "CRITICAL"
},
"details": "The IceHrm 30.0.0 OS website was found vulnerable to Session Management Issue. A signout from an admin account does not invalidate an admin session that is opened in a different browser.",
"id": "GHSA-v2x8-2rv7-79j3",
"modified": "2022-05-24T19:16:29Z",
"published": "2022-05-24T19:16:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38823"
},
{
"type": "WEB",
"url": "https://www.navidkagalwalla.com/icehrm-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-V42H-J35F-R8X9
Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2022-05-24 17:32CyberArk Privileged Session Manager (PSM) 10.9.0.15 allows attackers to discover internal pathnames by reading an error popup message after two hours of idle time.
{
"affected": [],
"aliases": [
"CVE-2020-25374"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-28T20:15:00Z",
"severity": "MODERATE"
},
"details": "CyberArk Privileged Session Manager (PSM) 10.9.0.15 allows attackers to discover internal pathnames by reading an error popup message after two hours of idle time.",
"id": "GHSA-v42h-j35f-r8x9",
"modified": "2022-05-24T17:32:32Z",
"published": "2022-05-24T17:32:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25374"
},
{
"type": "WEB",
"url": "https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PAS%20SysReq/System%20Requirements%20-%20PSM.htm"
},
{
"type": "WEB",
"url": "https://medium.com/@virajmota38/full-path-disclosure-8a9358e5a867"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-V5G5-WWMP-JPPW
Vulnerability from github – Published: 2026-05-28 06:31 – Updated: 2026-07-01 21:27A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even after it has been revoked. Successful exploitation grants the attacker unauthorized access to the victim's account, potentially leading to information disclosure or privilege escalation.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-services"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "26.4.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-services"
},
"ranges": [
{
"events": [
{
"introduced": "26.5.0"
},
{
"fixed": "26.6.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-9802"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-01T21:27:04Z",
"nvd_published_at": "2026-05-28T06:16:29Z",
"severity": "MODERATE"
},
"details": "A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user\u0027s refresh token, to replay that token even after it has been revoked. Successful exploitation grants the attacker unauthorized access to the victim\u0027s account, potentially leading to information disclosure or privilege escalation.",
"id": "GHSA-v5g5-wwmp-jppw",
"modified": "2026-07-01T21:27:04Z",
"published": "2026-05-28T06:31:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9802"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/issues/49426"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/pull/49542"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/pull/49619"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/pull/49620"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/165df48d3f0f42ede8e6082184892ca7cc703989"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/3451217e3837ce5e8bbcac2773f0ac44830b95f1"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/3fde018b98e2729a594a3ac7fc730fde31da2f07"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25097"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25098"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-9802"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482467"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Keycloak has Insufficient Session Expiration"
}
GHSA-V7J8-QGF8-RF5G
Vulnerability from github – Published: 2025-07-31 00:31 – Updated: 2025-07-31 00:31IBM Aspera Faspex 5.0.0 through 5.0.12.1 could allow an authenticated user to perform unauthorized actions due to client-side enforcement of sever side security mechanisms.
{
"affected": [],
"aliases": [
"CVE-2025-36040"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-31T00:15:26Z",
"severity": "MODERATE"
},
"details": "IBM Aspera Faspex 5.0.0 through 5.0.12.1 could allow an authenticated user to perform unauthorized actions due to client-side enforcement of sever side security mechanisms.",
"id": "GHSA-v7j8-qgf8-rf5g",
"modified": "2025-07-31T00:31:06Z",
"published": "2025-07-31T00:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36040"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7241007"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.