CWE-613
Allowed-with-ReviewInsufficient Session Expiration
Abstraction: Base · Status: Incomplete
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
876 vulnerabilities reference this CWE, most recent first.
GHSA-8FF6-GRVW-RMVX
Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-05-24 17:44DomainMOD domainmod-v4.15.0 is affected by an insufficient session expiration vulnerability. On changing a password, both sessions using the changed password and old sessions in any other browser or device do not expire and remain active. Such flaws frequently give attackers unauthorized access to some system data or functionality.
{
"affected": [],
"aliases": [
"CVE-2020-35358"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-15T12:15:00Z",
"severity": "CRITICAL"
},
"details": "DomainMOD domainmod-v4.15.0 is affected by an insufficient session expiration vulnerability. On changing a password, both sessions using the changed password and old sessions in any other browser or device do not expire and remain active. Such flaws frequently give attackers unauthorized access to some system data or functionality.",
"id": "GHSA-8ff6-grvw-rmvx",
"modified": "2022-05-24T17:44:33Z",
"published": "2022-05-24T17:44:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35358"
},
{
"type": "WEB",
"url": "https://gist.github.com/anku-agar/0fec2ffd98308e550ce9b5d4b395d0d7"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-8FQ3-C5W3-PJ3Q
Vulnerability from github – Published: 2026-04-01 22:09 – Updated: 2026-04-27 16:27Summary
Vulnerability: Improper Session Invalidation on Account Deactivation (Broken Access Control / Logic Flaw)
- This vulnerability is caused by a backend logic flaw that maintains a false trust assumption that already-authenticated users remain trustworthy, even after their accounts are explicitly deactivated. As a result, administrative security actions do not behave as intended, allowing persistent unauthorized access.
Description
The application fails to immediately revoke active user sessions when an account is deactivated. Due to a logic flaw in the backend design, account state changes are enforced only during authentication (login), not for already-established sessions.
The system implicitly assumes that authenticated users remain trusted for the lifetime of their session. There is no session expiration or account expiration mechanism in place, causing deactivated accounts to retain indefinite access until the user manually logs out. This behavior breaks the intended access control policy and results in persistent unauthorized access, representing a critical security flaw.
Affected Functionality
- User session management and authentication logic
- Account deactivation mechanism
- All authenticated endpoints, including administrative and content interfaces
Attack Scenario
- A user logs into the application.
- An administrator deactivates the user account.
- The user remains fully logged in and can continue performing all actions allowed by their role indefinitely, as there is no session expiration.
- The user can continue invoking backend methods, triggering application actions, accessing sensitive interfaces (including user management if permitted), and interacting with the system as if the account were still active.
- Access is only lost if the user manually logs out, which may never occur.
Impact
- Unauthorized Continued Access: Deactivated users retain full access indefinitely, violating intended access control and expected security behavior.
- Bypass of Administrative Controls: Administrative actions (deactivation) fail to immediately restrict active sessions.
- Logic Flaw Resulting in Broken Behavior: Backend authorization logic relies on a flawed trust assumption that authenticated users remain valid, enforcing account state only at login.
- Full Functional Access Retained: Deactivated users can continue invoking application methods, executing actions, interacting with protected endpoints, and using the system exactly as before being deactivated.
- Privilege Abuse: Users with elevated roles (moderator, editor, administrator) can continue performing privileged actions after account deactivation, including accessing user management interfaces and modifying application state.
- Service Disruption Potential: Persistent access allows attackers to disrupt services, manipulate content, or interfere with normal application operations.
- Attack Persistence: Attackers can maintain access indefinitely, increasing the risk of data exfiltration, unauthorized modifications, or further privilege escalation.
- False Sense of Remediation: Administrators may believe a threat has been mitigated while the deactivated user remains active within the system.
Endpoint Example: Any endpoint accessible to authenticated users, including dashboards, administrative interfaces, user management pages, and API endpoints.
Steps To Reproduce (PoC)
- Create or use an existing user account.
- Log into the application using this account.
- From an administrative account, deactivate the logged-in user account.
- Observe that the target user remains authenticated.
- Verify that the user can still access protected functionality, invoke actions, and interact with the application as before.
- Confirm that the user only loses access after manually logging out (if they choose to do so).
Remediation
- Immediately invalidate all active sessions when an account is deactivated.
- Enforce account status checks on every authenticated request, not only during login.
- Introduce proper session expiration or account expiration mechanisms to prevent indefinite access.
- Correct the backend logic flaw to ensure access control behavior aligns with intended security design and does not rely on unsafe trust assumptions.
Ready Video POC:
https://mega.nz/file/zJkhwCII#G1-TecKmNBJmEeBS0ExsAY_RXEmAl3QqMqu4t5oy844
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.28.6.0"
},
"package": {
"ecosystem": "Packagist",
"name": "ci4-cms-erp/ci4ms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.31.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34572"
],
"database_specific": {
"cwe_ids": [
"CWE-1254",
"CWE-284",
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-01T22:09:39Z",
"nvd_published_at": "2026-04-01T22:16:21Z",
"severity": "HIGH"
},
"details": "## Summary\n### Vulnerability: Improper Session Invalidation on Account Deactivation (Broken Access Control / Logic Flaw)\n- This vulnerability is caused by a backend logic flaw that maintains a false trust assumption that already-authenticated users remain trustworthy, even after their accounts are explicitly deactivated. As a result, administrative security actions do not behave as intended, allowing persistent unauthorized access.\n\n### Description\nThe application fails to immediately revoke active user sessions when an account is deactivated. Due to a logic flaw in the backend design, account state changes are enforced only during authentication (login), not for already-established sessions.\n\nThe system implicitly assumes that authenticated users remain trusted for the lifetime of their session. There is no session expiration or account expiration mechanism in place, causing deactivated accounts to retain indefinite access until the user manually logs out. This behavior breaks the intended access control policy and results in persistent unauthorized access, representing a critical security flaw.\n\n### Affected Functionality\n- User session management and authentication logic\n- Account deactivation mechanism\n- All authenticated endpoints, including administrative and content interfaces\n\n### Attack Scenario\n- A user logs into the application.\n- An administrator deactivates the user account.\n- The user remains fully logged in and can continue performing all actions allowed by their role indefinitely, as there is no session expiration.\n- The user can continue invoking backend methods, triggering application actions, accessing sensitive interfaces (including user management if permitted), and interacting with the system as if the account were still active.\n- Access is only lost if the user manually logs out, which may never occur.\n\n### Impact\n- Unauthorized Continued Access: Deactivated users retain full access indefinitely, violating intended access control and expected security behavior.\n- Bypass of Administrative Controls: Administrative actions (deactivation) fail to immediately restrict active sessions.\n- Logic Flaw Resulting in Broken Behavior: Backend authorization logic relies on a flawed trust assumption that authenticated users remain valid, enforcing account state only at login.\n- Full Functional Access Retained: Deactivated users can continue invoking application methods, executing actions, interacting with protected endpoints, and using the system exactly as before being deactivated.\n- Privilege Abuse: Users with elevated roles (moderator, editor, administrator) can continue performing privileged actions after account deactivation, including accessing user management interfaces and modifying application state.\n- Service Disruption Potential: Persistent access allows attackers to disrupt services, manipulate content, or interfere with normal application operations.\n- Attack Persistence: Attackers can maintain access indefinitely, increasing the risk of data exfiltration, unauthorized modifications, or further privilege escalation.\n- False Sense of Remediation: Administrators may believe a threat has been mitigated while the deactivated user remains active within the system.\n\nEndpoint Example: Any endpoint accessible to authenticated users, including dashboards, administrative interfaces, user management pages, and API endpoints.\n\n## Steps To Reproduce (PoC)\n1. Create or use an existing user account.\n2. Log into the application using this account.\n3. From an administrative account, deactivate the logged-in user account.\n4. Observe that the target user remains authenticated.\n5. Verify that the user can still access protected functionality, invoke actions, and interact with the application as before.\n6. Confirm that the user only loses access after manually logging out (if they choose to do so).\n\n## Remediation\n- Immediately invalidate all active sessions when an account is deactivated.\n- Enforce account status checks on every authenticated request, not only during login.\n- Introduce proper session expiration or account expiration mechanisms to prevent indefinite access.\n- Correct the backend logic flaw to ensure access control behavior aligns with intended security design and does not rely on unsafe trust assumptions.\n\n# Ready Video POC:\nhttps://mega.nz/file/zJkhwCII#G1-TecKmNBJmEeBS0ExsAY_RXEmAl3QqMqu4t5oy844",
"id": "GHSA-8fq3-c5w3-pj3q",
"modified": "2026-04-27T16:27:49Z",
"published": "2026-04-01T22:09:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-8fq3-c5w3-pj3q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34572"
},
{
"type": "PACKAGE",
"url": "https://github.com/ci4-cms-erp/ci4ms"
},
{
"type": "WEB",
"url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "CI4MS: Account Deactivation Module Grants Full Persistent Unauthorized Access for All\u2011Roles via Improper Session Invalidation (Logic Flaw)"
}
GHSA-8JG2-726G-XH43
Vulnerability from github – Published: 2026-04-08 03:32 – Updated: 2026-04-08 21:50An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject requests after a period of inactivity and the excessively long default session duration of 31 days. The vulnerability enables an attacker to maintain persistent access to a compromised account, even after the victim resets their password.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "lollms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-1163"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-08T21:50:30Z",
"nvd_published_at": "2026-04-08T03:16:07Z",
"severity": "MODERATE"
},
"details": "An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject requests after a period of inactivity and the excessively long default session duration of 31 days. The vulnerability enables an attacker to maintain persistent access to a compromised account, even after the victim resets their password.",
"id": "GHSA-8jg2-726g-xh43",
"modified": "2026-04-08T21:50:30Z",
"published": "2026-04-08T03:32:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1163"
},
{
"type": "PACKAGE",
"url": "https://github.com/ParisNeo/lollms"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/abe2d1c4-c21c-4608-8a8e-274565246a8b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "parisneo/lollms has an insufficient session expiration vulnerability"
}
GHSA-8JRV-PCV6-2265
Vulnerability from github – Published: 2026-03-06 00:31 – Updated: 2026-03-06 00:31The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.
{
"affected": [],
"aliases": [
"CVE-2026-24912"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-06T00:16:10Z",
"severity": "MODERATE"
},
"details": "The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable\na malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.",
"id": "GHSA-8jrv-pcv6-2265",
"modified": "2026-03-06T00:31:35Z",
"published": "2026-03-06T00:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24912"
},
{
"type": "WEB",
"url": "https://epower.ie/support"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-062-07.json"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-07"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8PP6-343G-MGJ6
Vulnerability from github – Published: 2022-05-24 16:54 – Updated: 2024-09-17 00:30Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user account's current session is still valid after the password change, potentially allowing the attacker who originally compromised the credential to remain logged in and able to cause further damage.
{
"affected": [],
"aliases": [
"CVE-2019-5638"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-21T20:15:00Z",
"severity": "HIGH"
},
"details": "Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user\u0027s password is changed by an administrator due to an otherwise unrelated credential leak, that user account\u0027s current session is still valid after the password change, potentially allowing the attacker who originally compromised the credential to remain logged in and able to cause further damage.",
"id": "GHSA-8pp6-343g-mgj6",
"modified": "2024-09-17T00:30:59Z",
"published": "2022-05-24T16:54:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5638"
},
{
"type": "WEB",
"url": "https://docs.rapid7.com/insightvm/enable-insightvm-platform-login"
},
{
"type": "WEB",
"url": "https://help.rapid7.com/nexpose/en-us/release-notes/archive/2019/02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8RHR-7X4C-49J6
Vulnerability from github – Published: 2026-06-13 00:34 – Updated: 2026-06-13 00:34OpenClaw before 2026.4.24 contains a token revocation vulnerability allowing callers with revoked slash tokens to continue executing commands during monitor refresh windows. Attackers can exploit stale token acceptance to invoke slash command behavior briefly after token revocation, potentially executing unauthorized actions depending on operator configuration.
{
"affected": [],
"aliases": [
"CVE-2026-53824"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-12T22:16:53Z",
"severity": "MODERATE"
},
"details": "OpenClaw before 2026.4.24 contains a token revocation vulnerability allowing callers with revoked slash tokens to continue executing commands during monitor refresh windows. Attackers can exploit stale token acceptance to invoke slash command behavior briefly after token revocation, potentially executing unauthorized actions depending on operator configuration.",
"id": "GHSA-8rhr-7x4c-49j6",
"modified": "2026-06-13T00:34:31Z",
"published": "2026-06-13T00:34:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4m3v-q747-pc6h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53824"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/mattermost-slash-token-revocation-lag-via-monitor-refresh-delay"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8VFJ-M772-GQJW
Vulnerability from github – Published: 2022-02-26 00:00 – Updated: 2022-03-05 00:00In JetBrains TeamCity before 2021.2.1, editing a user account to change its password didn't terminate sessions of the edited user.
{
"affected": [],
"aliases": [
"CVE-2022-24341"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-25T15:15:00Z",
"severity": "HIGH"
},
"details": "In JetBrains TeamCity before 2021.2.1, editing a user account to change its password didn\u0027t terminate sessions of the edited user.",
"id": "GHSA-8vfj-m772-gqjw",
"modified": "2022-03-05T00:00:54Z",
"published": "2022-02-26T00:00:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24341"
},
{
"type": "WEB",
"url": "https://blog.jetbrains.com"
},
{
"type": "WEB",
"url": "https://blog.jetbrains.com/blog/2022/02/08/jetbrains-security-bulletin-q4-2021"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-8VXF-42V3-RC9P
Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2025-10-14 18:30An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL VPN 7.6.0 through 7.6.2, 7.4.0 through 7.4.6, 7.2.0 through 7.2.10, 7.0.0 through 7.0.16, 6.4 all versions may allow a remote attacker (e.g. a former admin whose account was removed and whose session was terminated) in possession of the SAML record of a user session to access or re-open that session via re-use of SAML record.
{
"affected": [],
"aliases": [
"CVE-2025-25252"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-14T16:15:36Z",
"severity": "MODERATE"
},
"details": "An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL VPN 7.6.0 through 7.6.2, 7.4.0 through 7.4.6, 7.2.0 through 7.2.10, 7.0.0 through 7.0.16, 6.4 all versions may allow a remote attacker (e.g. a former admin whose account was removed and whose session was terminated) in possession of the SAML record of a user session to access or re-open that session via re-use of SAML record.",
"id": "GHSA-8vxf-42v3-rc9p",
"modified": "2025-10-14T18:30:27Z",
"published": "2025-10-14T18:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25252"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-487"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8XJ2-47XW-Q78C
Vulnerability from github – Published: 2022-05-24 17:17 – Updated: 2024-04-23 17:34A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-1724"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-23T17:34:12Z",
"nvd_published_at": "2020-05-11T21:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section.",
"id": "GHSA-8xj2-47xw-q78c",
"modified": "2024-04-23T17:34:12Z",
"published": "2022-05-24T17:17:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1724"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1724"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Keycloak Insufficient Session Expiry"
}
GHSA-9287-X4FM-8G85
Vulnerability from github – Published: 2025-12-17 21:30 – Updated: 2025-12-17 21:30Improper management of Path-relative stylesheet import in HCL BigFix Remote Control Lite Web Portal (versions 10.1.0.0326 and lower) may allow to execute malicious code in certain web pages.
{
"affected": [],
"aliases": [
"CVE-2025-55254"
],
"database_specific": {
"cwe_ids": [
"CWE-601",
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-17T21:16:14Z",
"severity": "LOW"
},
"details": "Improper management of Path-relative stylesheet import in HCL BigFix Remote Control Lite Web Portal (versions 10.1.0.0326 and lower) may allow to execute malicious code in certain web pages.",
"id": "GHSA-9287-x4fm-8g85",
"modified": "2025-12-17T21:30:50Z",
"published": "2025-12-17T21:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55254"
},
{
"type": "WEB",
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0127332"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.