CWE-613
Allowed-with-ReviewInsufficient Session Expiration
Abstraction: Base · Status: Incomplete
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
876 vulnerabilities reference this CWE, most recent first.
GHSA-5GVV-3X4Q-5HP6
Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2024-04-04 02:48SAP Enable Now, before version 1908, does not invalidate session tokens in a timely manner. The Insufficient Session Expiration may allow attackers with local access, for instance, to still download the portables.
{
"affected": [],
"aliases": [
"CVE-2020-6197"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-10T21:15:00Z",
"severity": "LOW"
},
"details": "SAP Enable Now, before version 1908, does not invalidate session tokens in a timely manner. The Insufficient Session Expiration may allow attackers with local access, for instance, to still download the portables.",
"id": "GHSA-5gvv-3x4q-5hp6",
"modified": "2024-04-04T02:48:59Z",
"published": "2022-05-24T17:10:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6197"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/2845363"
},
{
"type": "WEB",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5H3F-885M-V22W
Vulnerability from github – Published: 2026-04-09 17:36 – Updated: 2026-04-28 18:27Impact
Existing WS sessions survive shared gateway token rotation.
Rotating the shared gateway token did not disconnect existing shared-token WebSocket sessions.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.4.1 - Patched versions:
2026.4.8
Fix
The issue was fixed on main and is available in the patched npm version listed above. The verified fixed tree is commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5.
Verification
The fix was re-checked against main before publication, including targeted regression tests for the affected security boundary.
Credits
Thanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.4.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42421"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-09T17:36:02Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Impact\n\nExisting WS sessions survive shared gateway token rotation.\n\nRotating the shared gateway token did not disconnect existing shared-token WebSocket sessions.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c= 2026.4.1`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.",
"id": "GHSA-5h3f-885m-v22w",
"modified": "2026-04-28T18:27:44Z",
"published": "2026-04-09T17:36:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5h3f-885m-v22w"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Existing WS sessions survive shared gateway token rotation"
}
GHSA-5HFV-C864-QCQ9
Vulnerability from github – Published: 2026-05-04 20:50 – Updated: 2026-05-08 20:14Summary
The auth filter has the deactivated/banned user check commented out.
Details
CodeIgniter Shield's loggedIn() re-checks the status field (catching status='banned'), but does not re-check the active field for existing sessions. When an admin deactivates a user (active=0) after they have already logged in:
- Their session cookie remains valid
- auth()->loggedIn() still returns true
- The commented-out code is the only mechanism that would have checked !$user->active
Evidence
Impact
- User deactivation does NOT immediately revoke backend access
- Deactivated user retains full access until session expires (default: 7200s)
Additional note
The commented-out block appears to be a deferred placeholder — it was written but disabled from the very first commit that introduced the filter, and has never been active. The later addition of SessionTracker (v0.31.4.0) suggests the dev was aware of the session revocation gap, but account-level deactivation (users.active = 0) remains unenforced. Could you verify if this is intentionally pending or simply forgotten and not documented?.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.31.7.0"
},
"package": {
"ecosystem": "Packagist",
"name": "ci4-cms-erp/ci4ms"
},
"ranges": [
{
"events": [
{
"introduced": "0.26.0"
},
{
"fixed": "0.31.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41891"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-04T20:50:55Z",
"nvd_published_at": "2026-05-07T04:16:33Z",
"severity": "MODERATE"
},
"details": "### Summary\nThe auth filter has the deactivated/banned user check commented out. \n\n### Details\nCodeIgniter Shield\u0027s `loggedIn()` re-checks the `status` field (catching `status=\u0027banned\u0027`), but does **not** re-check the `active` field for existing sessions. When an admin deactivates a user (`active=0`) after they have already logged in:\n- Their session cookie remains valid\n- `auth()-\u003eloggedIn()` still returns `true`\n- The commented-out code is the only mechanism that would have checked `!$user-\u003eactive`\n\n### Evidence\n\u003cimg width=\"981\" height=\"654\" alt=\"image\" src=\"https://github.com/user-attachments/assets/6f75d144-5bcf-4a3f-bc35-bb0715c3ed05\" /\u003e\n\n\n### Impact\n- User deactivation does NOT immediately revoke backend access\n- Deactivated user retains full access until session expires (default: 7200s)\n\n### Additional note\nThe commented-out block appears to be a deferred placeholder \u2014 it was written but disabled from the very first commit that introduced the filter, and has never been active. The later addition of SessionTracker (v0.31.4.0) suggests the dev was aware of the session revocation gap, but account-level deactivation (users.active = 0) remains unenforced. Could you verify if this is intentionally pending or simply forgotten and not documented?.",
"id": "GHSA-5hfv-c864-qcq9",
"modified": "2026-05-08T20:14:41Z",
"published": "2026-05-04T20:50:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-5hfv-c864-qcq9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41891"
},
{
"type": "WEB",
"url": "https://github.com/ci4-cms-erp/ci4ms/commit/2f38284281ce6b435ea42003951f14109ac2cea7"
},
{
"type": "PACKAGE",
"url": "https://github.com/ci4-cms-erp/ci4ms"
},
{
"type": "WEB",
"url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.8.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "CI4MS has a Deactivated User Session Bypass (active=0)"
}
GHSA-5MRQ-X3X5-8V8F
Vulnerability from github – Published: 2026-05-05 17:03 – Updated: 2026-06-06 00:27Summary
A persistent cookie secret vulnerability allows authenticated users to maintain indefinite access even after password changes.
The cookie secret used to sign authentication cookies is stored in a permanent file (~/.local/share/jupyter/runtime/jupyter_cookie_secret) that is never automatically rotated or cleared, allowing stolen or compromised cookies to remain valid indefinitely regardless of password resets.
PoC
- Start a Jupyter server with password authentication:
jupyter server password,jupyter server - Log in with the password and capture the authentication cookie (e.g., just login with a browser).
- Change the password to revoke access:
jupyter server password - Restart the server
- Use the old stolen cookie => remains valid and provides full authenticated access.
Impact
- All jupyter-server deployments using password authentication where security incidents may occur
- Multi-user systems where one user's compromised session should be revocable by administrators
- Shared or public-facing Jupyter servers where credential rotation is a security requirement
- Any deployment where password changes are expected to revoke existing sessions
Patches
Jupyter Server 2.18+
Workaround
rm ~/.local/share/jupyter/runtime/jupyter_cookie_secret
# Then restart the server
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.17.0"
},
"package": {
"ecosystem": "PyPI",
"name": "jupyter-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.18.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40934"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-05T17:03:24Z",
"nvd_published_at": "2026-05-05T22:16:00Z",
"severity": "HIGH"
},
"details": "## Summary\n\nA persistent cookie secret vulnerability allows authenticated users to maintain indefinite access even after password changes. \n\nThe cookie secret used to sign authentication cookies is stored in a permanent file (`~/.local/share/jupyter/runtime/jupyter_cookie_secret`) that is never automatically rotated or cleared, allowing stolen or compromised cookies to remain valid indefinitely regardless of password resets.\n\n## PoC\n\n- Start a Jupyter server with password authentication: `jupyter server password`, `jupyter server`\n- Log in with the password and capture the authentication cookie (e.g., just login with a browser).\n- Change the password to revoke access: `jupyter server password`\n- Restart the server\n- Use the old stolen cookie =\u003e remains valid and provides full authenticated access.\n\n## Impact\n\n- All jupyter-server deployments using password authentication where security incidents may occur\n- Multi-user systems where one user\u0027s compromised session should be revocable by administrators\n- Shared or public-facing Jupyter servers where credential rotation is a security requirement\n- Any deployment where password changes are expected to revoke existing sessions\n\n## Patches\n\nJupyter Server 2.18+\n\n## Workaround\n\n```bash\nrm ~/.local/share/jupyter/runtime/jupyter_cookie_secret\n# Then restart the server\n```",
"id": "GHSA-5mrq-x3x5-8v8f",
"modified": "2026-06-06T00:27:08Z",
"published": "2026-05-05T17:03:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5mrq-x3x5-8v8f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40934"
},
{
"type": "PACKAGE",
"url": "https://github.com/jupyter-server/jupyter_server"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/jupyter-server/PYSEC-2026-69.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Jupyter Server\u0027s Authentication Cookies Remain Valid After Password Reset and Server Restart"
}
GHSA-5MVJ-RVP8-RF45
Vulnerability from github – Published: 2023-07-28 15:35 – Updated: 2023-07-28 15:35TL;DR
This vulnerability affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config).
It can only be abused if a Kirby user is logged in on a device or browser that is shared with potentially untrusted users or if an attacker already maliciously used a previous password to log in to a Kirby site as the affected user.
Introduction
Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.
In the variation described in this advisory, it allows attackers to stay logged in to a Kirby site on another device or browser even if the logged in user has since changed their password.
Impact
Kirby did not invalidate old user sessions after the user password was changed by the user or by a site admin.
If a user changed their password to lock out an attacker who was already in possession of the previous password or of a login session on another device or browser, the attacker would not be reliably prevented from accessing the Kirby site as the affected user.
Patches
The problem has been patched in Kirby 3.5.8.3, Kirby 3.6.6.3, Kirby 3.7.5.2, Kirby 3.8.4.1 and Kirby 3.9.6. Please update to one of these or a later version to fix the vulnerability.
In all of the mentioned releases, we have updated the authentication implementation to keep track of the last time the password was changed. If a new password was set since the login, the session is invalidated. To enforce this fix even if the vulnerability was previously abused, all users are logged out from the Kirby site after updating to one of the patched releases.
Credits
Thanks to Shankar Acharya (@5hank4r) for responsibly reporting the identified issue.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "getkirby/cms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.5.8.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "getkirby/cms"
},
"ranges": [
{
"events": [
{
"introduced": "3.6.0"
},
{
"fixed": "3.6.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "getkirby/cms"
},
"ranges": [
{
"events": [
{
"introduced": "3.7.0"
},
{
"fixed": "3.7.5.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "getkirby/cms"
},
"ranges": [
{
"events": [
{
"introduced": "3.8.0"
},
{
"fixed": "3.8.4.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "getkirby/cms"
},
"ranges": [
{
"events": [
{
"introduced": "3.9.0"
},
{
"fixed": "3.9.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-38489"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-28T15:35:25Z",
"nvd_published_at": "2023-07-27T15:15:12Z",
"severity": "HIGH"
},
"details": "### TL;DR\n\nThis vulnerability affects all Kirby sites with user accounts (unless Kirby\u0027s API and Panel are disabled in the config).\n\nIt can only be abused if a Kirby user is logged in on a device or browser that is shared with potentially untrusted users or if an attacker already maliciously used a previous password to log in to a Kirby site as the affected user.\n\n----\n\n### Introduction\n\nInsufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.\n\nIn the variation described in this advisory, it allows attackers to stay logged in to a Kirby site on another device or browser even if the logged in user has since changed their password.\n\n### Impact\n\nKirby did not invalidate old user sessions after the user password was changed by the user or by a site admin.\n\nIf a user changed their password to lock out an attacker who was already in possession of the previous password or of a login session on another device or browser, the attacker would not be reliably prevented from accessing the Kirby site as the affected user.\n\n### Patches\n\nThe problem has been patched in [Kirby 3.5.8.3](https://github.com/getkirby/kirby/releases/tag/3.5.8.3), [Kirby 3.6.6.3](https://github.com/getkirby/kirby/releases/tag/3.6.6.3), [Kirby 3.7.5.2](https://github.com/getkirby/kirby/releases/tag/3.7.5.2), [Kirby 3.8.4.1](https://github.com/getkirby/kirby/releases/tag/3.8.4.1) and [Kirby 3.9.6](https://github.com/getkirby/kirby/releases/tag/3.9.6). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability.\n\nIn all of the mentioned releases, we have updated the authentication implementation to keep track of the last time the password was changed. If a new password was set since the login, the session is invalidated. To enforce this fix even if the vulnerability was previously abused, all users are logged out from the Kirby site after updating to one of the patched releases.\n\n### Credits\n\nThanks to Shankar Acharya (@5hank4r) for responsibly reporting the identified issue.",
"id": "GHSA-5mvj-rvp8-rf45",
"modified": "2023-07-28T15:35:25Z",
"published": "2023-07-28T15:35:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/security/advisories/GHSA-5mvj-rvp8-rf45"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38489"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/commit/7a0a2014c69fdb925ea02f30e7793bb50115e931"
},
{
"type": "PACKAGE",
"url": "https://github.com/getkirby/kirby"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/releases/tag/3.5.8.3"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/releases/tag/3.6.6.3"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/releases/tag/3.7.5.2"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/releases/tag/3.8.4.1"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/releases/tag/3.9.6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Insufficient Session Expiration after a password change"
}
GHSA-5Q53-X3G6-993R
Vulnerability from github – Published: 2022-09-22 00:00 – Updated: 2022-09-25 00:00Rapid7 InsightVM suffers from an information exposure issue whereby, when the user's session has ended due to inactivity, an attacker can use the Inspect Element browser feature to remove the login panel and view the details available in the last webpage visited by previous user
{
"affected": [],
"aliases": [
"CVE-2019-5641"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-21T15:15:00Z",
"severity": "MODERATE"
},
"details": "Rapid7 InsightVM suffers from an information exposure issue whereby, when the user\u0027s session has ended due to inactivity, an attacker can use the Inspect Element browser feature to remove the login panel and view the details available in the last webpage visited by previous user",
"id": "GHSA-5q53-x3g6-993r",
"modified": "2022-09-25T00:00:26Z",
"published": "2022-09-22T00:00:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5641"
},
{
"type": "WEB",
"url": "https://docs.rapid7.com/release-notes/insightvm/20220830"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5R8W-66HQ-RC39
Vulnerability from github – Published: 2024-05-27 18:53 – Updated: 2024-05-27 18:53If remember me is on and users log in with the box checked, if the developer then disabled "remember me" function, any pre-existing cookies will continue to authenticate users.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "silverstripe/framework"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.19-rc1"
},
{
"fixed": "3.1.20"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "silverstripe/framework"
},
"ranges": [
{
"events": [
{
"introduced": "3.2.4-rc1"
},
{
"fixed": "3.2.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "silverstripe/framework"
},
"ranges": [
{
"events": [
{
"introduced": "3.3.2-rc1"
},
{
"fixed": "3.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "silverstripe/framework"
},
"ranges": [
{
"events": [
{
"introduced": "3.4.0-rc1"
},
{
"fixed": "3.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-27T18:53:40Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "If remember me is on and users log in with the box checked, if the developer then disabled \"remember me\" function, any pre-existing cookies will continue to authenticate users.",
"id": "GHSA-5r8w-66hq-rc39",
"modified": "2024-05-27T18:53:40Z",
"published": "2024-05-27T18:53:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/silverstripe/silverstripe-framework/commit/1c7d5de51bcdf16ebb21c5a0ebe5fe9e31f9a822"
},
{
"type": "WEB",
"url": "https://github.com/silverstripe/silverstripe-framework/commit/b1f449762b5d11658b11d5036d5ae361a95fd61e"
},
{
"type": "WEB",
"url": "https://github.com/silverstripe/silverstripe-framework/commit/d1163d87b70e3e147f22a1e423b9f70f6fd85e8f"
},
{
"type": "WEB",
"url": "https://github.com/silverstripe/silverstripe-framework/commit/fa7f5af8618a83c865b11fd6cc981ad9661046e6"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2016-014-1.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/silverstripe/silverstripe-framework"
},
{
"type": "WEB",
"url": "https://www.silverstripe.org/download/security-releases/ss-2016-014"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "silverstripe/framework\u0027s pre-existing alc_enc cookies log users in if remember me is disabled"
}
GHSA-5RQC-WQWJ-478F
Vulnerability from github – Published: 2023-03-28 21:30 – Updated: 2025-02-19 21:31This disclosure regards a vulnerability related to UAA refresh tokens and external identity providers.Assuming that an external identity provider is linked to the UAA, a refresh token is issued to a client on behalf of a user from that identity provider, the administrator of the UAA deactivates the identity provider from the UAA. It is expected that the UAA would reject a refresh token during a refresh token grant, but it does not (hence the vulnerability). It will continue to issue access tokens to request presenting such refresh tokens, as if the identity provider was still active. As a result, clients with refresh tokens issued through the deactivated identity provider would still have access to Cloud Foundry resources until their refresh token expires (which defaults to 30 days).
{
"affected": [],
"aliases": [
"CVE-2023-20903"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-28T21:15:00Z",
"severity": "MODERATE"
},
"details": "This disclosure regards a vulnerability related to UAA refresh tokens and external identity providers.Assuming that an external identity provider is linked to the UAA, a refresh token is issued to a client on behalf of a user from that identity provider, the administrator of the UAA deactivates the identity provider from the UAA. It is expected that the UAA would reject a refresh token during a refresh token grant, but it does not (hence the vulnerability). It will continue to issue access tokens to request presenting such refresh tokens, as if the identity provider was still active. As a result, clients with refresh tokens issued through the deactivated identity provider would still have access to Cloud Foundry resources until their refresh token expires (which defaults to 30 days).",
"id": "GHSA-5rqc-wqwj-478f",
"modified": "2025-02-19T21:31:29Z",
"published": "2023-03-28T21:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20903"
},
{
"type": "WEB",
"url": "https://www.cloudfoundry.org/blog/cve-2023-20903-tokens-for-inactivated-idps-are-not-revoked-and-remain-valid-until-expiration"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5V66-M237-HWF7
Vulnerability from github – Published: 2025-08-29 12:31 – Updated: 2025-08-29 16:57Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (which is by default set to 2 hours, but can be changed).
This issue has been fixed in version 3.44.0 of Payload.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "payload"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.44.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@payloadcms/next"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.44.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@payloadcms/graphql"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.44.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-4643"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-29T16:57:54Z",
"nvd_published_at": "2025-08-29T10:15:30Z",
"severity": "MODERATE"
},
"details": "Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (which is by default set to 2 hours, but can be changed). \n\nThis issue has been fixed in version 3.44.0 of Payload.",
"id": "GHSA-5v66-m237-hwf7",
"modified": "2025-08-29T16:57:54Z",
"published": "2025-08-29T12:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4643"
},
{
"type": "WEB",
"url": "https://github.com/payloadcms/payload/commit/26d709dda6e512ce347557eaa2057db6e0cbf809"
},
{
"type": "WEB",
"url": "https://cert.pl/en/posts/2025/08/CVE-2025-4643"
},
{
"type": "PACKAGE",
"url": "https://github.com/payloadcms/payload"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Payload does not invalidate JWTs after log out"
}
GHSA-5V93-W7MF-HC4Q
Vulnerability from github – Published: 2024-09-10 12:30 – Updated: 2024-09-10 12:30A vulnerability has been identified in SINEMA Remote Connect Client (All versions < V3.2 SP2). The affected application does not expire the user session on reboot without logout. This could allow an attacker to bypass Multi-Factor Authentication.
{
"affected": [],
"aliases": [
"CVE-2024-32006"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-10T10:15:09Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in SINEMA Remote Connect Client (All versions \u003c V3.2 SP2). The affected application does not expire the user session on reboot without logout. This could allow an attacker to bypass Multi-Factor Authentication.",
"id": "GHSA-5v93-w7mf-hc4q",
"modified": "2024-09-10T12:30:37Z",
"published": "2024-09-10T12:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32006"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-417159.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.