Common Weakness Enumeration

CWE-613

Allowed-with-Review

Insufficient Session Expiration

Abstraction: Base · Status: Incomplete

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

876 vulnerabilities reference this CWE, most recent first.

CVE-2025-4754 (GCVE-0-2025-4754)

Vulnerability from cvelistv5 – Published: 2025-06-17 14:31 – Updated: 2026-05-27 15:40
VLAI
Title
Missing Session Revocation on Logout in ash_authentication_phoenix
Summary
Insufficient Session Expiration vulnerability in ash-project ash_authentication_phoenix allows Session Hijacking. This vulnerability is associated with program files lib/ash_authentication_phoenix/controller.ex. This issue affects ash_authentication_phoenix until 2.10.0.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-613 - Insufficient Session Expiration
Assigner
EEF
Impacted products
Vendor Product Version
ash-project ash_authentication_phoenix Affected: 0 , < 2.10.0 (semver)
    cpe:2.3:a:team-alembic:ash_authentication_phoenix:*:*:*:*:*:*:*:*
Create a notification for this product.
ash-project ash_authentication_phoenix Affected: 0 , < a3253fb4fc7145aeb403537af1c24d3a8d51ffb1 (git)
    cpe:2.3:a:team-alembic:ash_authentication_phoenix:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
James Harton Zach Daniel Mike Buhot Jonatan Männchen / EEF Josh Price
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4754",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-17T14:40:37.216297Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-17T14:41:09.297Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.hex.pm",
          "cpes": [
            "cpe:2.3:a:team-alembic:ash_authentication_phoenix:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "packageName": "ash_authentication_phoenix",
          "packageURL": "pkg:hex/ash_authentication_phoenix",
          "product": "ash_authentication_phoenix",
          "programFiles": [
            "lib/ash_authentication_phoenix/controller.ex"
          ],
          "repo": "https://github.com/team-alembic/ash_authentication_phoenix",
          "vendor": "ash-project",
          "versions": [
            {
              "lessThan": "2.10.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:team-alembic:ash_authentication_phoenix:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "packageName": "team-alembic/ash_authentication_phoenix",
          "packageURL": "pkg:github/team-alembic/ash_authentication_phoenix",
          "product": "ash_authentication_phoenix",
          "programFiles": [
            "lib/ash_authentication_phoenix/controller.ex"
          ],
          "repo": "https://github.com/team-alembic/ash_authentication_phoenix",
          "vendor": "ash-project",
          "versions": [
            {
              "lessThan": "a3253fb4fc7145aeb403537af1c24d3a8d51ffb1",
              "status": "affected",
              "version": "0",
              "versionType": "git"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:team-alembic:ash_authentication_phoenix:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2.10.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "AND"
            }
          ],
          "operator": "AND"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "James Harton"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Zach Daniel"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Mike Buhot"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Jonatan M\u00e4nnchen / EEF"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Josh Price"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Insufficient Session Expiration vulnerability in ash-project ash_authentication_phoenix allows Session Hijacking.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003elib/ash_authentication_phoenix/controller.ex\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects ash_authentication_phoenix until 2.10.0.\u003c/p\u003e"
            }
          ],
          "value": "Insufficient Session Expiration vulnerability in ash-project ash_authentication_phoenix allows Session Hijacking. This vulnerability is associated with program files lib/ash_authentication_phoenix/controller.ex.\n\nThis issue affects ash_authentication_phoenix until 2.10.0."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-593",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-593 Session Hijacking"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 2.3,
            "baseSeverity": "LOW",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-613",
              "description": "CWE-613 Insufficient Session Expiration",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T15:40:14.352Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/team-alembic/ash_authentication_phoenix/security/advisories/GHSA-f7gq-h8jv-h3cq"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2025-4754.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2025-4754"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/team-alembic/ash_authentication_phoenix/pull/634"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/team-alembic/ash_authentication_phoenix/commit/a3253fb4fc7145aeb403537af1c24d3a8d51ffb1"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Missing Session Revocation on Logout in ash_authentication_phoenix",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2025-4754",
    "datePublished": "2025-06-17T14:31:37.006Z",
    "dateReserved": "2025-05-15T09:03:11.355Z",
    "dateUpdated": "2026-05-27T15:40:14.352Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-4677 (GCVE-0-2025-4677)

Vulnerability from cvelistv5 – Published: 2026-01-07 17:09 – Updated: 2026-01-07 18:19
VLAI
Title
Idle session timeout is not configured for multiple open ports
Summary
Insufficient Session Expiration vulnerability in ABB WebPro SNMP Card PowerValue, ABB WebPro SNMP Card PowerValue UL.This issue affects WebPro SNMP Card PowerValue: through 1.1.8.K; WebPro SNMP Card PowerValue UL: through 1.1.8.K.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-613 - Insufficient Session Expiration
Assigner
ABB
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4677",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-07T18:17:02.695141Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-07T18:19:30.647Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "WebPro SNMP Card PowerValue",
          "vendor": "ABB",
          "versions": [
            {
              "lessThanOrEqual": "1.1.8.k",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "WebPro SNMP Card PowerValue UL",
          "vendor": "ABB",
          "versions": [
            {
              "lessThanOrEqual": "1.1.8.k",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Insufficient Session Expiration vulnerability in ABB WebPro SNMP Card PowerValue, ABB WebPro SNMP Card PowerValue UL.\u003cp\u003eThis issue affects WebPro SNMP Card PowerValue: through 1.1.8.K; WebPro SNMP Card PowerValue UL: through 1.1.8.K.\u003c/p\u003e"
            }
          ],
          "value": "Insufficient Session Expiration vulnerability in ABB WebPro SNMP Card PowerValue, ABB WebPro SNMP Card PowerValue UL.This issue affects WebPro SNMP Card PowerValue: through 1.1.8.K; WebPro SNMP Card PowerValue UL: through 1.1.8.K."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "ADJACENT",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-613",
              "description": "CWE-613 Insufficient Session Expiration",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-07T17:09:05.370Z",
        "orgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
        "shortName": "ABB"
      },
      "references": [
        {
          "url": "https://search.abb.com/library/Download.aspx?DocumentID=2CRT000009\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Idle session timeout is not configured for multiple open ports",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
    "assignerShortName": "ABB",
    "cveId": "CVE-2025-4677",
    "datePublished": "2026-01-07T17:09:05.370Z",
    "dateReserved": "2025-05-14T06:02:15.939Z",
    "dateUpdated": "2026-01-07T18:19:30.647Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-4643 (GCVE-0-2025-4643)

Vulnerability from cvelistv5 – Published: 2025-08-29 10:01 – Updated: 2025-08-29 11:54 X_Open Source
VLAI
Title
Lack of JWT Expiration after Log Out in PayloadCMS
Summary
Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (which is by default set to 2 hours, but can be changed). This issue has been fixed in version 3.44.0 of Payload.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-613 - Insufficient Session Expiration
Assigner
References
Impacted products
Vendor Product Version
Payload CMS Payload Affected: 0 , < 3.44.0 (semver)
Create a notification for this product.
Date Public
2025-08-29 10:00
Credits
Arkadiusz Marta
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4643",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-29T11:54:20.949942Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-29T11:54:27.895Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Payload",
          "vendor": "Payload CMS",
          "versions": [
            {
              "lessThan": "3.44.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Arkadiusz Marta"
        }
      ],
      "datePublic": "2025-08-29T10:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (which is by default set to 2 hours, but can be changed). \u003cbr\u003e\u003cbr\u003eThis issue has been fixed in version 3.44.0 of Payload.\u003cbr\u003e"
            }
          ],
          "value": "Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (which is by default set to 2 hours, but can be changed). \n\nThis issue has been fixed in version 3.44.0 of Payload."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-115",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-115 Authentication Bypass"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-613",
              "description": "CWE-613 Insufficient Session Expiration",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-29T10:01:09.128Z",
        "orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
        "shortName": "CERT-PL"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://cert.pl/en/posts/2025/08/CVE-2025-4643"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://payloadcms.com"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://github.com/payloadcms/payload"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "tags": [
        "x_open-source"
      ],
      "title": "Lack of JWT Expiration after Log Out in PayloadCMS",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
    "assignerShortName": "CERT-PL",
    "cveId": "CVE-2025-4643",
    "datePublished": "2025-08-29T10:01:09.128Z",
    "dateReserved": "2025-05-13T07:10:07.627Z",
    "dateUpdated": "2025-08-29T11:54:27.895Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-4528 (GCVE-0-2025-4528)

Vulnerability from cvelistv5 – Published: 2025-05-11 03:00 – Updated: 2026-05-27 14:34
VLAI
Title
Dígitro NGC Explorer session expiration
Summary
A weakness has been identified in Dígitro NGC Explorer up to 3.44.15/3.48.21. This affects an unknown function. Executing a manipulation can lead to session expiration. The attack can be launched remotely. Upgrading to version 3.48.22 mitigates this issue. It is recommended to upgrade the affected component. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
Dígitro NGC Explorer Affected: 3.44.0
Affected: 3.44.1
Affected: 3.44.2
Affected: 3.44.3
Affected: 3.44.4
Affected: 3.44.5
Affected: 3.44.6
Affected: 3.44.7
Affected: 3.44.8
Affected: 3.44.9
Affected: 3.44.10
Affected: 3.44.11
Affected: 3.44.12
Affected: 3.44.13
Affected: 3.44.14
Affected: 3.44.15
Affected: 3.48.0
Affected: 3.48.1
Affected: 3.48.2
Affected: 3.48.3
Affected: 3.48.4
Affected: 3.48.5
Affected: 3.48.6
Affected: 3.48.7
Affected: 3.48.8
Affected: 3.48.9
Affected: 3.48.10
Affected: 3.48.11
Affected: 3.48.12
Affected: 3.48.13
Affected: 3.48.14
Affected: 3.48.15
Affected: 3.48.16
Affected: 3.48.17
Affected: 3.48.18
Affected: 3.48.19
Affected: 3.48.20
Affected: 3.48.21
Unaffected: 3.48.22
    cpe:2.3:a:d_gitro:ngc_explorer:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
j369 (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4528",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-12T14:33:25.278396Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-12T14:33:36.562Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:d_gitro:ngc_explorer:*:*:*:*:*:*:*:*"
          ],
          "product": "NGC Explorer",
          "vendor": "D\u00edgitro",
          "versions": [
            {
              "status": "affected",
              "version": "3.44.0"
            },
            {
              "status": "affected",
              "version": "3.44.1"
            },
            {
              "status": "affected",
              "version": "3.44.2"
            },
            {
              "status": "affected",
              "version": "3.44.3"
            },
            {
              "status": "affected",
              "version": "3.44.4"
            },
            {
              "status": "affected",
              "version": "3.44.5"
            },
            {
              "status": "affected",
              "version": "3.44.6"
            },
            {
              "status": "affected",
              "version": "3.44.7"
            },
            {
              "status": "affected",
              "version": "3.44.8"
            },
            {
              "status": "affected",
              "version": "3.44.9"
            },
            {
              "status": "affected",
              "version": "3.44.10"
            },
            {
              "status": "affected",
              "version": "3.44.11"
            },
            {
              "status": "affected",
              "version": "3.44.12"
            },
            {
              "status": "affected",
              "version": "3.44.13"
            },
            {
              "status": "affected",
              "version": "3.44.14"
            },
            {
              "status": "affected",
              "version": "3.44.15"
            },
            {
              "status": "affected",
              "version": "3.48.0"
            },
            {
              "status": "affected",
              "version": "3.48.1"
            },
            {
              "status": "affected",
              "version": "3.48.2"
            },
            {
              "status": "affected",
              "version": "3.48.3"
            },
            {
              "status": "affected",
              "version": "3.48.4"
            },
            {
              "status": "affected",
              "version": "3.48.5"
            },
            {
              "status": "affected",
              "version": "3.48.6"
            },
            {
              "status": "affected",
              "version": "3.48.7"
            },
            {
              "status": "affected",
              "version": "3.48.8"
            },
            {
              "status": "affected",
              "version": "3.48.9"
            },
            {
              "status": "affected",
              "version": "3.48.10"
            },
            {
              "status": "affected",
              "version": "3.48.11"
            },
            {
              "status": "affected",
              "version": "3.48.12"
            },
            {
              "status": "affected",
              "version": "3.48.13"
            },
            {
              "status": "affected",
              "version": "3.48.14"
            },
            {
              "status": "affected",
              "version": "3.48.15"
            },
            {
              "status": "affected",
              "version": "3.48.16"
            },
            {
              "status": "affected",
              "version": "3.48.17"
            },
            {
              "status": "affected",
              "version": "3.48.18"
            },
            {
              "status": "affected",
              "version": "3.48.19"
            },
            {
              "status": "affected",
              "version": "3.48.20"
            },
            {
              "status": "affected",
              "version": "3.48.21"
            },
            {
              "status": "unaffected",
              "version": "3.48.22"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "j369 (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A weakness has been identified in D\u00edgitro NGC Explorer up to 3.44.15/3.48.21. This affects an unknown function. Executing a manipulation can lead to session expiration. The attack can be launched remotely. Upgrading to version 3.48.22 mitigates this issue. It is recommended to upgrade the affected component. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 4,
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-613",
              "description": "Session Expiration",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T14:34:18.093Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-308273 | D\u00edgitro NGC Explorer session expiration",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/308273"
        },
        {
          "name": "VDB-308273 | CTI Indicators (IOB, IOC)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/308273/cti"
        },
        {
          "name": "Submit #565309 | D\u00edgitro NGC Explorer 3.44.15 Improper session token expiration",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/565309"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://digitro.com/recomendacao-10-2026-ctir-gov/"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://www.gov.br/ctir/pt-br/assuntos/alertas-e-recomendacoes/recomendacoes/2026/recomendacao-10-2026"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-05-10T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-05-10T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-05-27T16:38:18.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "D\u00edgitro NGC Explorer session expiration"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-4528",
    "datePublished": "2025-05-11T03:00:06.849Z",
    "dateReserved": "2025-05-10T05:30:00.544Z",
    "dateUpdated": "2026-05-27T14:34:18.093Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-4407 (GCVE-0-2025-4407)

Vulnerability from cvelistv5 – Published: 2025-06-30 11:16 – Updated: 2025-06-30 14:48
VLAI
Title
Application does not invalidate session after password reset
Summary
Insufficient Session Expiration vulnerability in ABB Lite Panel Pro.This issue affects Lite Panel Pro: through 1.0.1.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-613 - Insufficient Session Expiration
Assigner
ABB
Impacted products
Vendor Product Version
ABB Lite Panel Pro Affected: 0 , ≤ 1.0.1 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4407",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-30T14:48:40.876375Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-30T14:48:59.556Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Lite Panel Pro",
          "vendor": "ABB",
          "versions": [
            {
              "lessThanOrEqual": "1.0.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Insufficient Session Expiration vulnerability in ABB Lite Panel Pro.\u003cp\u003eThis issue affects Lite Panel Pro: through 1.0.1.\u003c/p\u003e"
            }
          ],
          "value": "Insufficient Session Expiration vulnerability in ABB Lite Panel Pro.This issue affects Lite Panel Pro: through 1.0.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "ADJACENT",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-613",
              "description": "CWE-613 Insufficient Session Expiration",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-30T11:16:40.554Z",
        "orgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
        "shortName": "ABB"
      },
      "references": [
        {
          "url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A2771\u0026LanguageCode=en\u0026DocumentPartId=PDF\u0026Action=Launch"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The vulnerability is resolved in the following product versions:\nLite Panel Pro software version 1.1.0\n\n\u003cbr\u003e"
            }
          ],
          "value": "The vulnerability is resolved in the following product versions:\nLite Panel Pro software version 1.1.0"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Application does not invalidate session after password reset",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
    "assignerShortName": "ABB",
    "cveId": "CVE-2025-4407",
    "datePublished": "2025-06-30T11:16:39.556Z",
    "dateReserved": "2025-05-07T05:27:33.565Z",
    "dateUpdated": "2025-06-30T14:48:59.556Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-3930 (GCVE-0-2025-3930)

Vulnerability from cvelistv5 – Published: 2025-10-16 10:43 – Updated: 2025-10-22 06:59 X_Open Source
VLAI
Title
Lack of JWT Expiration after Log Out in Strapi
Summary
Strapi uses JSON Web Tokens (JWT) for authentication. After logout or account deactivation, the JWT is not invalidated, which allows an attacker who has stolen or intercepted the token to freely reuse it until its expiration date (which is set to 30 days by default, but can be changed). The existence of /admin/renew-token endpoint allows anyone to renew near-expiration tokens indefinitely, further increasing the impact of this attack. This issue has been fixed in version 5.24.1.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-613 - Insufficient Session Expiration
Assigner
Impacted products
Vendor Product Version
Strapi Strapi Affected: 0 , < 5.24.1 (semver)
Create a notification for this product.
Date Public
2025-10-16 09:55
Credits
Arkadiusz Marta
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-3930",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-16T13:37:13.822536Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-16T13:37:36.428Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Strapi",
          "vendor": "Strapi",
          "versions": [
            {
              "lessThan": "5.24.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Arkadiusz Marta"
        }
      ],
      "datePublic": "2025-10-16T09:55:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eStrapi uses JSON Web Tokens (JWT) for authentication. After logout or account deactivation, the JWT is not invalidated, which allows an attacker who has stolen or intercepted the token to freely reuse it until its expiration date (which is set to 30 days by default, but can be changed).\u003c/span\u003e \u003cbr\u003eThe existence of \u003ctt\u003e/admin/renew-token\u0026nbsp;\u003c/tt\u003eendpoint allows anyone to renew near-expiration tokens indefinitely, further increasing the impact of this attack. \u003cbr\u003e\u003cbr\u003eThis issue has been fixed in version 5.24.1.\u003ctt\u003e\u003ctt\u003e\u003cbr\u003e\u003ctt\u003e\u003c/tt\u003e\u003c/tt\u003e\u003c/tt\u003e"
            }
          ],
          "value": "Strapi uses JSON Web Tokens (JWT) for authentication. After logout or account deactivation, the JWT is not invalidated, which allows an attacker who has stolen or intercepted the token to freely reuse it until its expiration date (which is set to 30 days by default, but can be changed). \nThe existence of /admin/renew-token\u00a0endpoint allows anyone to renew near-expiration tokens indefinitely, further increasing the impact of this attack. \n\nThis issue has been fixed in version 5.24.1."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-115",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-115 Authentication Bypass"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-613",
              "description": "CWE-613 Insufficient Session Expiration",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-22T06:59:29.045Z",
        "orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
        "shortName": "CERT-PL"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://cert.pl/en/posts/2025/06/CVE-2025-3930"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://github.com/strapi/strapi"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://strapi.io/"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve-October-2025"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "tags": [
        "x_open-source"
      ],
      "title": "Lack of JWT Expiration after Log Out in Strapi",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
    "assignerShortName": "CERT-PL",
    "cveId": "CVE-2025-3930",
    "datePublished": "2025-10-16T10:43:21.382Z",
    "dateReserved": "2025-04-25T06:46:23.142Z",
    "dateUpdated": "2025-10-22T06:59:29.045Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-2596 (GCVE-0-2025-2596)

Vulnerability from cvelistv5 – Published: 2025-03-26 10:51 – Updated: 2025-03-26 17:36
VLAI
Title
Session logout can be overwritten by long lasting request
Summary
Session logout could be overwritten in Checkmk GmbH's Checkmk versions <2.3.0p30, <2.2.0p41, and 2.1.0p49 (EOL)
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-613 - Insufficient Session Expiration
Assigner
References
Impacted products
Vendor Product Version
Checkmk GmbH Checkmk Affected: 2.4.0 , < 2.4.0b2 (semver)
Affected: 2.3.0 , < 2.3.0p30 (semver)
Affected: 2.2.0 , < 2.2.0p41 (semver)
Affected: 2.1.0 , ≤ 2.1.0p50 (semver)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-2596",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-26T17:35:52.786112Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-26T17:36:08.128Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Checkmk",
          "vendor": "Checkmk GmbH",
          "versions": [
            {
              "lessThan": "2.4.0b2",
              "status": "affected",
              "version": "2.4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "2.3.0p30",
              "status": "affected",
              "version": "2.3.0",
              "versionType": "semver"
            },
            {
              "lessThan": "2.2.0p41",
              "status": "affected",
              "version": "2.2.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "2.1.0p50",
              "status": "affected",
              "version": "2.1.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Session logout could be overwritten in Checkmk GmbH\u0027s Checkmk versions \u003c2.3.0p30, \u003c2.2.0p41, and 2.1.0p49 (EOL)"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-180",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 2.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-613",
              "description": "CWE-613 Insufficient Session Expiration",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-26T10:51:16.285Z",
        "orgId": "f7d6281c-4801-44ce-ace2-493291dedb0f",
        "shortName": "Checkmk"
      },
      "references": [
        {
          "url": "https://checkmk.com/werk/17808"
        }
      ],
      "title": "Session logout can be overwritten by long lasting request"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f7d6281c-4801-44ce-ace2-493291dedb0f",
    "assignerShortName": "Checkmk",
    "cveId": "CVE-2025-2596",
    "datePublished": "2025-03-26T10:51:16.285Z",
    "dateReserved": "2025-03-21T10:07:46.468Z",
    "dateUpdated": "2025-03-26T17:36:08.128Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-2185 (GCVE-0-2025-2185)

Vulnerability from cvelistv5 – Published: 2025-04-24 23:22 – Updated: 2025-04-25 16:02
VLAI
Title
ALBEDO Telecom Net.Time - PTP/NTP Clock Insufficient Session Expiration
Summary
ALBEDO Telecom Net.Time - PTP/NTP clock (Serial No. NBC0081P) software release 1.4.4 is vulnerable to an insufficient session expiration vulnerability, which could permit an attacker to transmit passwords over unencrypted connections, resulting in the product becoming vulnerable to interception.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-613 - Insufficient Session Expiration
Assigner
Impacted products
Credits
Khalid Markar, Parul Sindhwad & Dr. Faruk Kazi from CoE-CNDS Lab reported this vulnerability to CISA.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-2185",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-25T15:38:52.881020Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-25T16:02:29.038Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Net.Time - PTP/NTP clock (Serial No. NBC0081P)",
          "vendor": "ALBEDO Telecom",
          "versions": [
            {
              "status": "affected",
              "version": "1.4.4"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Khalid Markar, Parul Sindhwad \u0026 Dr. Faruk Kazi from CoE-CNDS Lab reported this vulnerability to CISA."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "ALBEDO Telecom Net.Time - PTP/NTP clock (Serial No. NBC0081P) software release 1.4.4 is vulnerable to an insufficient session expiration vulnerability, which\n could permit an attacker to transmit passwords over unencrypted \nconnections, resulting in the product becoming vulnerable to \ninterception."
            }
          ],
          "value": "ALBEDO Telecom Net.Time - PTP/NTP clock (Serial No. NBC0081P) software release 1.4.4 is vulnerable to an insufficient session expiration vulnerability, which\n could permit an attacker to transmit passwords over unencrypted \nconnections, resulting in the product becoming vulnerable to \ninterception."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-613",
              "description": "CWE-613 Insufficient Session Expiration",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-24T23:22:35.146Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-114-02"
        },
        {
          "url": "https://www.albedotelecom.com/contactus.php"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eALBEDO Telecom has identified the following mitigations users can apply to reduce risk:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eNet.Time - PTP/NTP clock (Serial No. NBC0081P) Software release 1.4.4: Update to v1.6.1\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eFor more information, please \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.albedotelecom.com/contactus.php\"\u003econtact ALBEDO Telecom.\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "ALBEDO Telecom has identified the following mitigations users can apply to reduce risk:\n\n\n\n  *  Net.Time - PTP/NTP clock (Serial No. NBC0081P) Software release 1.4.4: Update to v1.6.1\n\n\n\n\nFor more information, please  contact ALBEDO Telecom. https://www.albedotelecom.com/contactus.php"
        }
      ],
      "source": {
        "advisory": "ICSA-25-114-02",
        "discovery": "EXTERNAL"
      },
      "title": "ALBEDO Telecom Net.Time - PTP/NTP Clock Insufficient Session Expiration",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2025-2185",
    "datePublished": "2025-04-24T23:22:35.146Z",
    "dateReserved": "2025-03-10T19:07:16.013Z",
    "dateUpdated": "2025-04-25T16:02:29.038Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-1968 (GCVE-0-2025-1968)

Vulnerability from cvelistv5 – Published: 2025-04-09 13:33 – Updated: 2026-02-26 18:28
VLAI
Summary
Insufficient Session Expiration vulnerability in Progress Software Corporation Sitefinity under some specific and uncommon circumstances allows reusing Session IDs (Session Replay Attacks).This issue affects Sitefinity: from 14.0 through 14.3, from 14.4 before 14.4.8145, from 15.0 before 15.0.8231, from 15.1 before 15.1.8332, from 15.2 before 15.2.8429.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-613 - Insufficient Session Expiration
Assigner
Impacted products
Vendor Product Version
Progress Software Corporation Sitefinity Affected: 14.0 , ≤ 14.3 (custom)
Affected: 14.4 , < 14.4.8145 (custom)
Affected: 15.0 , < 15.0.8231 (custom)
Affected: 15.1 , < 15.1.8332 (custom)
Affected: 15.2 , < 15.2.8429 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-1968",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-10T03:55:30.253793Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T18:28:29.081Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Sitefinity",
          "vendor": "Progress Software Corporation",
          "versions": [
            {
              "lessThanOrEqual": "14.3",
              "status": "affected",
              "version": "14.0",
              "versionType": "custom"
            },
            {
              "lessThan": "14.4.8145",
              "status": "affected",
              "version": "14.4",
              "versionType": "custom"
            },
            {
              "lessThan": "15.0.8231",
              "status": "affected",
              "version": "15.0",
              "versionType": "custom"
            },
            {
              "lessThan": "15.1.8332",
              "status": "affected",
              "version": "15.1",
              "versionType": "custom"
            },
            {
              "lessThan": "15.2.8429",
              "status": "affected",
              "version": "15.2",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Insufficient Session Expiration vulnerability in Progress Software Corporation Sitefinity under some specific and uncommon circumstances allows reusing Session IDs (Session Replay Attacks).\u003cp\u003eThis issue affects Sitefinity: from 14.0 through 14.3, from 14.4 before 14.4.8145, from 15.0 before 15.0.8231, from 15.1 before 15.1.8332, from 15.2 before 15.2.8429.\u003c/p\u003e"
            }
          ],
          "value": "Insufficient Session Expiration vulnerability in Progress Software Corporation Sitefinity under some specific and uncommon circumstances allows reusing Session IDs (Session Replay Attacks).This issue affects Sitefinity: from 14.0 through 14.3, from 14.4 before 14.4.8145, from 15.0 before 15.0.8231, from 15.1 before 15.1.8332, from 15.2 before 15.2.8429."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-60",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-60: Reusing Session IDs (Session Replay Attacks)"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-613",
              "description": "CWE-613: Insufficient Session Expiration",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-09T13:33:31.450Z",
        "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "shortName": "ProgressSoftware"
      },
      "references": [
        {
          "url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerability-CVE-2025-1968-April-2025"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
    "assignerShortName": "ProgressSoftware",
    "cveId": "CVE-2025-1968",
    "datePublished": "2025-04-09T13:33:31.450Z",
    "dateReserved": "2025-03-04T17:18:25.818Z",
    "dateUpdated": "2026-02-26T18:28:29.081Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-1198 (GCVE-0-2025-1198)

Vulnerability from cvelistv5 – Published: 2025-02-13 00:55 – Updated: 2025-02-13 14:57
VLAI
Title
Insufficient Session Expiration in GitLab
Summary
An issue discovered in GitLab CE/EE affecting all versions from 16.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 meant that long-lived connections in ActionCable potentially allowed revoked Personal Access Tokens access to streaming results.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-613 - Insufficient Session Expiration
Assigner
References
URL Tags
https://gitlab.com/gitlab-org/gitlab/-/issues/511477 issue-trackingpermissions-required
Impacted products
Vendor Product Version
GitLab GitLab Affected: 16.11 , < 17.6.5 (semver)
Affected: 17.7 , < 17.7.4 (semver)
Affected: 17.8 , < 17.8.2 (semver)
    cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
This vulnerability has been discovered internally by a GitLab team member [Dylan Griffith](https://gitlab.com/DylanGriffith).
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-1198",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-13T14:57:14.620465Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-13T14:57:28.962Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "GitLab",
          "repo": "git://git@gitlab.com:gitlab-org/gitlab.git",
          "vendor": "GitLab",
          "versions": [
            {
              "lessThan": "17.6.5",
              "status": "affected",
              "version": "16.11",
              "versionType": "semver"
            },
            {
              "lessThan": "17.7.4",
              "status": "affected",
              "version": "17.7",
              "versionType": "semver"
            },
            {
              "lessThan": "17.8.2",
              "status": "affected",
              "version": "17.8",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "This vulnerability has been discovered internally by a GitLab team member [Dylan Griffith](https://gitlab.com/DylanGriffith)."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue discovered in GitLab CE/EE affecting all versions from 16.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 meant that long-lived connections in ActionCable potentially allowed revoked Personal Access Tokens access to streaming results."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-613",
              "description": "CWE-613: Insufficient Session Expiration",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-13T00:55:50.295Z",
        "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
        "shortName": "GitLab"
      },
      "references": [
        {
          "name": "GitLab Issue #511477",
          "tags": [
            "issue-tracking",
            "permissions-required"
          ],
          "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/511477"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to versions 17.6.5, 17.7.4, 17.8.2 or above."
        }
      ],
      "title": "Insufficient Session Expiration in GitLab"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
    "assignerShortName": "GitLab",
    "cveId": "CVE-2025-1198",
    "datePublished": "2025-02-13T00:55:50.295Z",
    "dateReserved": "2025-02-10T16:02:02.388Z",
    "dateUpdated": "2025-02-13T14:57:28.962Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Mitigation
Implementation

Set sessions/credentials expiration date.

No CAPEC attack patterns related to this CWE.