CWE-613
Allowed-with-ReviewInsufficient Session Expiration
Abstraction: Base · Status: Incomplete
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
872 vulnerabilities reference this CWE, most recent first.
GHSA-W87J-439W-P9F3
Vulnerability from github – Published: 2022-03-24 00:00 – Updated: 2025-11-03 21:30A vulnerability was found in the 389 Directory Server that allows expired passwords to access the database to cause improper authentication.
{
"affected": [],
"aliases": [
"CVE-2022-0996"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-23T20:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in the 389 Directory Server that allows expired passwords to access the database to cause improper authentication.",
"id": "GHSA-w87j-439w-p9f3",
"modified": "2025-11-03T21:30:38Z",
"published": "2022-03-24T00:00:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0996"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:5239"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:5620"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:5823"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:8162"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:8976"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2022-0996"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064769"
},
{
"type": "WEB",
"url": "https://github.com/ByteHackr/389-ds-base"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00026.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00015.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4QFD7CBBX3IZOSHEWL2EYKRLOEQSXCZ6"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYT2IQJFHQWZENJJRY6EJB3XIFZGNT7F"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4QFD7CBBX3IZOSHEWL2EYKRLOEQSXCZ6"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYT2IQJFHQWZENJJRY6EJB3XIFZGNT7F"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W8FX-FM62-WW3Q
Vulnerability from github – Published: 2022-10-07 18:15 – Updated: 2022-10-10 00:00IBM InfoSphere Information Server 11.7 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 236699.
{
"affected": [],
"aliases": [
"CVE-2022-41291"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-07T17:15:00Z",
"severity": "MODERATE"
},
"details": "IBM InfoSphere Information Server 11.7 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 236699.",
"id": "GHSA-w8fx-fm62-ww3q",
"modified": "2022-10-10T00:00:32Z",
"published": "2022-10-07T18:15:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41291"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/236699"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6823109"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W8HX-XWGF-2M86
Vulnerability from github – Published: 2025-04-14 09:30 – Updated: 2025-04-14 09:30Mattermost Mobile Apps versions <=2.25.0 fail to terminate sessions during logout under certain conditions (e.g. poor connectivity), allowing unauthorized users on shared devices to access sensitive notification content via continued mobile notifications
{
"affected": [],
"aliases": [
"CVE-2025-30516"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-14T07:15:14Z",
"severity": "LOW"
},
"details": "Mattermost Mobile Apps versions \u003c=2.25.0\u00a0 fail to terminate sessions during logout under certain conditions (e.g. poor connectivity), allowing unauthorized users on shared devices to access sensitive notification content via continued mobile notifications",
"id": "GHSA-w8hx-xwgf-2m86",
"modified": "2025-04-14T09:30:24Z",
"published": "2025-04-14T09:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30516"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W8W3-M5JX-QWWR
Vulnerability from github – Published: 2022-05-14 03:20 – Updated: 2022-05-14 03:20A denial of service vulnerability exists in Schneider Electric's MiCOM Px4x (P540 range excluded) with legacy Ethernet board, MiCOM P540D Range with Legacy Ethernet Board, and MiCOM Px4x Rejuvenated could lose network communication in case of TCP/IP open requests on port 20000 (DNP3oE) if an older TCI/IP session is still open with identical IP address and port number.
{
"affected": [],
"aliases": [
"CVE-2018-7758"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-18T20:29:00Z",
"severity": "MODERATE"
},
"details": "A denial of service vulnerability exists in Schneider Electric\u0027s MiCOM Px4x (P540 range excluded) with legacy Ethernet board, MiCOM P540D Range with Legacy Ethernet Board, and MiCOM Px4x Rejuvenated could lose network communication in case of TCP/IP open requests on port 20000 (DNP3oE) if an older TCI/IP session is still open with identical IP address and port number.",
"id": "GHSA-w8w3-m5jx-qwwr",
"modified": "2022-05-14T03:20:49Z",
"published": "2022-05-14T03:20:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7758"
},
{
"type": "WEB",
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-074-02"
},
{
"type": "WEB",
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-074-03"
},
{
"type": "WEB",
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-074-04"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W9G9-CC2C-QXCQ
Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2022-05-24 17:30IBM Security Access Manager Appliance 9.0.7 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 179358.
{
"affected": [],
"aliases": [
"CVE-2020-4395"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-14T17:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Security Access Manager Appliance 9.0.7 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 179358.",
"id": "GHSA-w9g9-cc2c-qxcq",
"modified": "2022-05-24T17:30:40Z",
"published": "2022-05-24T17:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4395"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/179358"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6347592"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WFGV-4XH4-MFF6
Vulnerability from github – Published: 2023-02-20 18:30 – Updated: 2023-03-06 21:30Expired sessions were not securely terminated in the RestAPI for Tribe29's Checkmk <= 2.1.0p10 and Checkmk <= 2.0.0p28 allowing an attacker to use expired session tokens when communicating with the RestAPI.
{
"affected": [],
"aliases": [
"CVE-2022-48317"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-20T17:15:00Z",
"severity": "CRITICAL"
},
"details": "Expired sessions were not securely terminated in the RestAPI for Tribe29\u0027s Checkmk \u003c= 2.1.0p10 and Checkmk \u003c= 2.0.0p28 allowing an attacker to use expired session tokens when communicating with the RestAPI.",
"id": "GHSA-wfgv-4xh4-mff6",
"modified": "2023-03-06T21:30:19Z",
"published": "2023-02-20T18:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48317"
},
{
"type": "WEB",
"url": "https://checkmk.com/werk/14485"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WHGG-X7CG-V7R9
Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-05-24 17:41IBM Security Identity Governance and Intelligence 5.2.6 does not invalidate session after logout which could allow a user to obtain sensitive information from another users' session. IBM X-Force ID: 192912.
{
"affected": [],
"aliases": [
"CVE-2020-4995"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-09T15:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Security Identity Governance and Intelligence 5.2.6 does not invalidate session after logout which could allow a user to obtain sensitive information from another users\u0027 session. IBM X-Force ID: 192912.",
"id": "GHSA-whgg-x7cg-v7r9",
"modified": "2022-05-24T17:41:31Z",
"published": "2022-05-24T17:41:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4995"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/192912"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6413393"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WHQG-8C4F-4GWX
Vulnerability from github – Published: 2024-07-25 18:32 – Updated: 2024-07-25 18:32IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 uses insufficient session expiration which could allow an unauthorized user to obtain sensitive information. IBM X-Force ID: 228565.
{
"affected": [],
"aliases": [
"CVE-2022-32759"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-25T18:15:02Z",
"severity": "MODERATE"
},
"details": "IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 uses insufficient session expiration which could allow an unauthorized user to obtain sensitive information. IBM X-Force ID: 228565.",
"id": "GHSA-whqg-8c4f-4gwx",
"modified": "2024-07-25T18:32:36Z",
"published": "2024-07-25T18:32:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32759"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228565"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7161446"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WMM3-H9QJ-P5V6
Vulnerability from github – Published: 2026-05-12 22:23 – Updated: 2026-06-09 10:32Summary
Changing a user’s password does not invalidate existing sessions, allowing an attacker with a stolen cookie to retain access even after the victim resets their password.
Details
SillyTavern relies on cookie-session for authentication, storing all session data (user handle, permissions) in a signed cookie. The endpoints POST /api/users/change-password and POST /api/users/recover-step2 only update the password hash in the database but do not expire current sessions. Because the session is stateless and stored entirely in the client cookie, there is no server-side mechanism to revoke a token once issued.
PoC
1.Log into the same SillyTavern account from two different browsers (e.g., Chrome and Firefox private mode). 2.In Chrome, change the account password under User Settings → Change Password. 3.In Firefox, refresh the page or perform a protected action (e.g., view API keys). 4.Expected: Firefox session should be invalidated and ask for login. 5.Actual: Firefox remains fully authenticated, able to perform all actions as the targeted user.
Impact
An attacker who obtains a valid session cookie (via XSS, MITM, physical access, etc.) can continue using it indefinitely, even after the legitimate user changes their password. This nullifies the most common recovery measure against session theft. The default cookie lifespan is 400 days, giving an attacker a very long exploitation window.
Resolution
A fix was released in the version 1.18.0, invalidating a session cookie on account password change.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.17.0"
},
"package": {
"ecosystem": "npm",
"name": "sillytavern"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44648"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-12T22:23:20Z",
"nvd_published_at": "2026-05-29T19:16:24Z",
"severity": "HIGH"
},
"details": "### Summary\nChanging a user\u2019s password does not invalidate existing sessions, allowing an attacker with a stolen cookie to retain access even after the victim resets their password.\n\n### Details\nSillyTavern relies on cookie-session for authentication, storing all session data (user handle, permissions) in a signed cookie. The endpoints POST /api/users/change-password and POST /api/users/recover-step2 only update the password hash in the database but do not expire current sessions. Because the session is stateless and stored entirely in the client cookie, there is no server-side mechanism to revoke a token once issued.\n\n### PoC\n1.Log into the same SillyTavern account from two different browsers (e.g., Chrome and Firefox private mode).\n2.In Chrome, change the account password under User Settings \u2192 Change Password.\n3.In Firefox, refresh the page or perform a protected action (e.g., view API keys).\n4.Expected: Firefox session should be invalidated and ask for login.\n5.Actual: Firefox remains fully authenticated, able to perform all actions as the targeted user.\n\n### Impact\nAn attacker who obtains a valid session cookie (via XSS, MITM, physical access, etc.) can continue using it indefinitely, even after the legitimate user changes their password.\nThis nullifies the most common recovery measure against session theft.\nThe default cookie lifespan is 400 days, giving an attacker a very long exploitation window.\n\n### Resolution\nA fix was released in the version 1.18.0, invalidating a session cookie on account password change.",
"id": "GHSA-wmm3-h9qj-p5v6",
"modified": "2026-06-09T10:32:03Z",
"published": "2026-05-12T22:23:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-wmm3-h9qj-p5v6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44648"
},
{
"type": "PACKAGE",
"url": "https://github.com/SillyTavern/SillyTavern"
},
{
"type": "WEB",
"url": "https://github.com/SillyTavern/SillyTavern/releases/tag/1.18.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "SillyTavern: Existing sessions are not invalidated after password change, allowing session reuse and account takeover"
}
GHSA-WMM5-59WM-X34P
Vulnerability from github – Published: 2025-05-13 12:31 – Updated: 2025-05-13 12:31A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions < V4.1 Update 3), SIMATIC PCS neo V5.0 (All versions < V5.0 Update 1). Affected products do not correctly invalidate user sessions upon user logout. This could allow a remote unauthenticated attacker, who has obtained the session token by other means, to re-use a legitimate user's session even after logout.
{
"affected": [],
"aliases": [
"CVE-2025-40566"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-13T10:15:26Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions \u003c V4.1 Update 3), SIMATIC PCS neo V5.0 (All versions \u003c V5.0 Update 1). Affected products do not correctly invalidate user sessions upon user logout. This could allow a remote unauthenticated attacker, who has obtained the session token by other means, to re-use a legitimate user\u0027s session even after logout.",
"id": "GHSA-wmm5-59wm-x34p",
"modified": "2025-05-13T12:31:36Z",
"published": "2025-05-13T12:31:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40566"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-339086.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.