Common Weakness Enumeration

CWE-613

Allowed-with-Review

Insufficient Session Expiration

Abstraction: Base · Status: Incomplete

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

874 vulnerabilities reference this CWE, most recent first.

GHSA-RV9X-WMW4-44QJ

Vulnerability from github – Published: 2023-01-12 03:30 – Updated: 2023-01-20 16:54
VLAI
Summary
Pyload Insufficient Session Expiration vulnerability
Details

Pyload 0.5.0b3.dev35 has an Insufficient Session Expiration vulnerability. A patch is available and anticipated to be part of version 0.5.0b3.dev36.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.5.0b3.dev35"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "pyload-ng"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.0b3.dev36"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-0227"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-12T20:54:01Z",
    "nvd_published_at": "2023-01-12T01:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Pyload 0.5.0b3.dev35 has an Insufficient Session Expiration vulnerability. A patch is available and anticipated to be part of version 0.5.0b3.dev36.",
  "id": "GHSA-rv9x-wmw4-44qj",
  "modified": "2023-01-20T16:54:17Z",
  "published": "2023-01-12T03:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0227"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pyload/pyload/commit/c035714c0596b704b11af0f8a669352f128ad2d9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pyload/pyload"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/af3101d7-fea6-463a-b7e4-a48be219e31b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Pyload Insufficient Session Expiration vulnerability"
}

GHSA-RVM5-9PV9-2RRC

Vulnerability from github – Published: 2025-04-18 15:31 – Updated: 2025-04-18 15:31
VLAI
Details

IBM Sterling Connect:Direct Web Services 6.1.0, 6.2.0, and 6.3.0

does not invalidate session after a browser closure which could allow an authenticated user to impersonate another user on the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45651"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-18T11:15:44Z",
    "severity": "MODERATE"
  },
  "details": "IBM Sterling Connect:Direct Web Services 6.1.0, 6.2.0, and 6.3.0 \n\ndoes not invalidate session after a browser closure which could allow an authenticated user to impersonate another user on the system.",
  "id": "GHSA-rvm5-9pv9-2rrc",
  "modified": "2025-04-18T15:31:38Z",
  "published": "2025-04-18T15:31:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45651"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7231178"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RVW7-WX4G-RQ78

Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-05-26 13:30
VLAI
Details

Insufficient session expiration vulnerability in syslink software AG Avantra on Linux, Windows allows Reusing Session IDs (aka Session Replay).

This issue affects Avantra: before 25.3.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-8670"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-22T14:16:29Z",
    "severity": "CRITICAL"
  },
  "details": "Insufficient session expiration vulnerability in syslink software AG Avantra on Linux, Windows allows Reusing Session IDs (aka Session Replay).\n\nThis issue affects Avantra: before 25.3.1.",
  "id": "GHSA-rvw7-wx4g-rq78",
  "modified": "2026-05-26T13:30:17Z",
  "published": "2026-05-26T13:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8670"
    },
    {
      "type": "WEB",
      "url": "https://support.avantra.com/hc/en-us/articles/5533929912351"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RW8H-4H76-H2MX

Vulnerability from github – Published: 2025-04-18 18:31 – Updated: 2025-04-22 15:30
VLAI
Details

An access control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows deleted users to retain access to system resources due to improper session invalidation and stale token handling. When an administrator deletes a user account, the backend fails to terminate active sessions and revoke associated API tokens, enabling unauthorized access to restricted functions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-28059"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-18T17:15:34Z",
    "severity": "HIGH"
  },
  "details": "An access control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows deleted users to retain access to system resources due to improper session invalidation and stale token handling. When an administrator deletes a user account, the backend fails to terminate active sessions and revoke associated API tokens, enabling unauthorized access to restricted functions.",
  "id": "GHSA-rw8h-4h76-h2mx",
  "modified": "2025-04-22T15:30:51Z",
  "published": "2025-04-18T18:31:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-28059"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aakashtyal/Residual-Data-Access-Post-User-Deletion-in-Nagios-Network-Analyzer-Version-2024R1"
    },
    {
      "type": "WEB",
      "url": "https://www.nagios.com/changelog/#network-analyze"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RX2F-PJ28-88G5

Vulnerability from github – Published: 2022-11-04 12:00 – Updated: 2022-11-04 19:01
VLAI
Details

"IBM MQ Appliance 9.2 CD, 9.2 LTS, 9.3 CD, and LTS 9.3 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235532."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-40230"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-03T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "\"IBM MQ Appliance 9.2 CD, 9.2 LTS, 9.3 CD, and LTS 9.3 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235532.\"",
  "id": "GHSA-rx2f-pj28-88g5",
  "modified": "2022-11-04T19:01:11Z",
  "published": "2022-11-04T12:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40230"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6622051"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RX9C-4X6J-XM83

Vulnerability from github – Published: 2022-05-18 00:00 – Updated: 2022-05-26 00:01
VLAI
Details

A remote authorization bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-23669"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-17T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "A remote authorization bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability.",
  "id": "GHSA-rx9c-4x6j-xm83",
  "modified": "2022-05-26T00:01:11Z",
  "published": "2022-05-18T00:00:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23669"
    },
    {
      "type": "WEB",
      "url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-007.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V2X8-2RV7-79J3

Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-05-24 19:16
VLAI
Details

The IceHrm 30.0.0 OS website was found vulnerable to Session Management Issue. A signout from an admin account does not invalidate an admin session that is opened in a different browser.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-38823"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-04T14:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The IceHrm 30.0.0 OS website was found vulnerable to Session Management Issue. A signout from an admin account does not invalidate an admin session that is opened in a different browser.",
  "id": "GHSA-v2x8-2rv7-79j3",
  "modified": "2022-05-24T19:16:29Z",
  "published": "2022-05-24T19:16:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38823"
    },
    {
      "type": "WEB",
      "url": "https://www.navidkagalwalla.com/icehrm-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-V42H-J35F-R8X9

Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2022-05-24 17:32
VLAI
Details

CyberArk Privileged Session Manager (PSM) 10.9.0.15 allows attackers to discover internal pathnames by reading an error popup message after two hours of idle time.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-25374"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-28T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "CyberArk Privileged Session Manager (PSM) 10.9.0.15 allows attackers to discover internal pathnames by reading an error popup message after two hours of idle time.",
  "id": "GHSA-v42h-j35f-r8x9",
  "modified": "2022-05-24T17:32:32Z",
  "published": "2022-05-24T17:32:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25374"
    },
    {
      "type": "WEB",
      "url": "https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PAS%20SysReq/System%20Requirements%20-%20PSM.htm"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/@virajmota38/full-path-disclosure-8a9358e5a867"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-V5G5-WWMP-JPPW

Vulnerability from github – Published: 2026-05-28 06:31 – Updated: 2026-07-01 21:27
VLAI
Summary
Keycloak has Insufficient Session Expiration
Details

A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even after it has been revoked. Successful exploitation grants the attacker unauthorized access to the victim's account, potentially leading to information disclosure or privilege escalation.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-services"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.4.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-services"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "26.5.0"
            },
            {
              "fixed": "26.6.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-9802"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-01T21:27:04Z",
    "nvd_published_at": "2026-05-28T06:16:29Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user\u0027s refresh token, to replay that token even after it has been revoked. Successful exploitation grants the attacker unauthorized access to the victim\u0027s account, potentially leading to information disclosure or privilege escalation.",
  "id": "GHSA-v5g5-wwmp-jppw",
  "modified": "2026-07-01T21:27:04Z",
  "published": "2026-05-28T06:31:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9802"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/issues/49426"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/pull/49542"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/pull/49619"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/pull/49620"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/commit/165df48d3f0f42ede8e6082184892ca7cc703989"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/commit/3451217e3837ce5e8bbcac2773f0ac44830b95f1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/commit/3fde018b98e2729a594a3ac7fc730fde31da2f07"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:25097"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:25098"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:30049"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:30050"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-9802"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482467"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/keycloak/keycloak"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Keycloak has Insufficient Session Expiration"
}

GHSA-V7J8-QGF8-RF5G

Vulnerability from github – Published: 2025-07-31 00:31 – Updated: 2025-07-31 00:31
VLAI
Details

IBM Aspera Faspex 5.0.0 through 5.0.12.1 could allow an authenticated user to perform unauthorized actions due to client-side enforcement of sever side security mechanisms.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36040"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-31T00:15:26Z",
    "severity": "MODERATE"
  },
  "details": "IBM Aspera Faspex 5.0.0 through 5.0.12.1 could allow an authenticated user to perform unauthorized actions due to client-side enforcement of sever side security mechanisms.",
  "id": "GHSA-v7j8-qgf8-rf5g",
  "modified": "2025-07-31T00:31:06Z",
  "published": "2025-07-31T00:31:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36040"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7241007"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Set sessions/credentials expiration date.

No CAPEC attack patterns related to this CWE.