CWE-613
Allowed-with-ReviewInsufficient Session Expiration
Abstraction: Base · Status: Incomplete
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
875 vulnerabilities reference this CWE, most recent first.
GHSA-H9Q8-5GV2-V6MG
Vulnerability from github – Published: 2021-03-12 23:09 – Updated: 2026-02-02 21:01Impact
Potential session hijacking of store customers.
Patches
We recommend to update to the current version 6.3.5.2. You can get the update to 6.3.5.2 regularly via the Auto-Updater or directly via the download overview.
https://www.shopware.com/en/download/#shopware-6
Workarounds
For older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.
https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659
For more information
https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-03-2021
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.3.5.1"
},
"package": {
"ecosystem": "Packagist",
"name": "shopware/platform"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.3.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-32710"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2021-03-12T22:10:34Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Impact\nPotential session hijacking of store customers.\n\n### Patches\nWe recommend to update to the current version 6.3.5.2. You can get the update to 6.3.5.2 regularly via the Auto-Updater or directly via the download overview.\n\nhttps://www.shopware.com/en/download/#shopware-6\n\n### Workarounds\nFor older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.\n\nhttps://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659\n\n### For more information\nhttps://docs.shopware.com/en/shopware-6-en/security-updates/security-update-03-2021",
"id": "GHSA-h9q8-5gv2-v6mg",
"modified": "2026-02-02T21:01:07Z",
"published": "2021-03-12T23:09:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/shopware/platform/security/advisories/GHSA-h9q8-5gv2-v6mg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32710"
},
{
"type": "WEB",
"url": "https://github.com/shopware/platform/commit/010c0154bea57c1fca73277c7431d029db7a972e"
},
{
"type": "PACKAGE",
"url": "https://github.com/shopware/shopware"
},
{
"type": "WEB",
"url": "https://packagist.org/packages/shopware/platform"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Potential Session Hijacking"
}
GHSA-HGX3-J7FM-PJM3
Vulnerability from github – Published: 2025-12-01 18:30 – Updated: 2025-12-01 21:30nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a a valid session cookie access to privileged endpoints (such as /admin) even after the legitimate user has logged out, enabling session hijacking. Any version above 4.70 that is not 4.80.3 fixes the vulnerability.
{
"affected": [],
"aliases": [
"CVE-2025-11699"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-01T16:15:51Z",
"severity": "HIGH"
},
"details": "nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a \na valid session cookie access to privileged endpoints (such as /admin) even after the legitimate user has logged out, enabling session hijacking. Any version above 4.70 that is not 4.80.3 fixes the vulnerability.",
"id": "GHSA-hgx3-j7fm-pjm3",
"modified": "2025-12-01T21:30:26Z",
"published": "2025-12-01T18:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11699"
},
{
"type": "WEB",
"url": "https://github.com/nopSolutions/nopCommerce/issues/7044"
},
{
"type": "WEB",
"url": "https://seclists.org/fulldisclosure/2025/Aug/14"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/633103"
},
{
"type": "WEB",
"url": "https://www.nopcommerce.com/en/release-notes?srsltid=AfmBOoravPKjN19pm_XZbXZ7GvPhkt8cxlK6794BJRZlY5RxJU_yNoTT"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HJC2-P4MC-RCPR
Vulnerability from github – Published: 2026-04-24 00:31 – Updated: 2026-04-24 00:31A vulnerability exists in SenseLive
X3050’s web management interface due to improper session lifetime enforcement, allowing authenticated sessions to remain active for extended periods without requiring re-authentication. An attacker with access to a previously authenticated session could continue interacting with administrative functions long after legitimate user activity has ceased.
{
"affected": [],
"aliases": [
"CVE-2026-25720"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-24T00:16:26Z",
"severity": "MODERATE"
},
"details": "A vulnerability exists in\u00a0SenseLive\n\nX3050\u2019s web management interface due to improper session lifetime enforcement, allowing authenticated sessions to remain active for extended periods without requiring re-authentication. An attacker with access to a previously authenticated session could continue interacting with administrative functions long after legitimate user activity has ceased.",
"id": "GHSA-hjc2-p4mc-rcpr",
"modified": "2026-04-24T00:31:52Z",
"published": "2026-04-24T00:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25720"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-111-12.json"
},
{
"type": "WEB",
"url": "https://senselive.io/contact"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-12"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HMPP-GH47-8R55
Vulnerability from github – Published: 2022-05-14 03:30 – Updated: 2022-05-14 03:30Philips ISCV application prior to version 2.3.0 has an insufficient session expiration vulnerability where an attacker could reuse the session of a previously logged in user. This vulnerability exists when using ISCV together with an Electronic Medical Record (EMR) system, where ISCV is in KIOSK mode for multiple users and using Windows authentication. This may allow an attacker to gain unauthorized access to patient health information and potentially modify this information.
{
"affected": [],
"aliases": [
"CVE-2018-5438"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-20T17:29:00Z",
"severity": "MODERATE"
},
"details": "Philips ISCV application prior to version 2.3.0 has an insufficient session expiration vulnerability where an attacker could reuse the session of a previously logged in user. This vulnerability exists when using ISCV together with an Electronic Medical Record (EMR) system, where ISCV is in KIOSK mode for multiple users and using Windows authentication. This may allow an attacker to gain unauthorized access to patient health information and potentially modify this information.",
"id": "GHSA-hmpp-gh47-8r55",
"modified": "2022-05-14T03:30:15Z",
"published": "2022-05-14T03:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5438"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-025-01"
},
{
"type": "WEB",
"url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102847"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HMVM-G3WG-H58R
Vulnerability from github – Published: 2023-10-17 03:32 – Updated: 2024-04-04 08:42IBM Security Verify Privilege On-Premises 11.5 could allow a user to obtain sensitive information due to insufficient session expiration. IBM X-Force ID: 199324.
{
"affected": [],
"aliases": [
"CVE-2021-20581"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-17T02:15:09Z",
"severity": "MODERATE"
},
"details": "\nIBM Security Verify Privilege On-Premises 11.5 could allow a user to obtain sensitive information due to insufficient session expiration. IBM X-Force ID: 199324.\n\n",
"id": "GHSA-hmvm-g3wg-h58r",
"modified": "2024-04-04T08:42:15Z",
"published": "2023-10-17T03:32:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20581"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/199324"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7047202"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HP29-CWPV-2M4X
Vulnerability from github – Published: 2023-10-10 15:30 – Updated: 2024-04-04 08:28An authenticated user's session cookie may remain valid for a limited time after logging out from the BIG-IP Configuration utility on a multi-blade VIPRION platform.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
{
"affected": [],
"aliases": [
"CVE-2023-40537"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-10T13:15:20Z",
"severity": "HIGH"
},
"details": "\nAn authenticated user\u0027s session cookie may remain valid for a limited time after logging out from the BIG-IP Configuration utility on a multi-blade VIPRION platform.\u00a0\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\n\n\n\n",
"id": "GHSA-hp29-cwpv-2m4x",
"modified": "2024-04-04T08:28:56Z",
"published": "2023-10-10T15:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40537"
},
{
"type": "WEB",
"url": "https://my.f5.com/manage/s/article/K29141800"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HP8H-7X69-4WMV
Vulnerability from github – Published: 2024-04-10 17:16 – Updated: 2024-04-11 14:31Impact
When invoking a capability with a chain depth of 2, i.e., it is delegated directly from the root capability, the expires property is not properly checked against the current date or other date param. This can allow invocations outside of the original intended time period. A zcap still cannot be invoked without being able to use the associated private key material.
Patches
@digitalbazaar/zcap v9.0.1 fixes expiration checking.
Workarounds
A zcap could be revoked at any time.
References
https://github.com/digitalbazaar/zcap/pull/82
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@digitalbazaar/zcap"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-31995"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-10T17:16:15Z",
"nvd_published_at": "2024-04-10T22:15:07Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nWhen invoking a capability with a chain depth of 2, i.e., it is delegated directly from the root capability, the `expires` property is not properly checked against the current date or other `date` param. This can allow invocations outside of the original intended time period. A zcap still cannot be invoked without being able to use the associated private key material.\n\n### Patches\n\n`@digitalbazaar/zcap` v9.0.1 fixes expiration checking.\n\n### Workarounds\n\nA zcap could be revoked at any time.\n\n### References\n\nhttps://github.com/digitalbazaar/zcap/pull/82",
"id": "GHSA-hp8h-7x69-4wmv",
"modified": "2024-04-11T14:31:30Z",
"published": "2024-04-10T17:16:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/zcap/security/advisories/GHSA-hp8h-7x69-4wmv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31995"
},
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/zcap/pull/82"
},
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/zcap/commit/261eea040109b6e25159c88d8ed49d3c37f8fcfe"
},
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/zcap/commit/55f8549c80124b85dfb0f3dcf83f2c63f42532e5"
},
{
"type": "PACKAGE",
"url": "https://github.com/digitalbazaar/zcap"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "zcap has incomplete expiration checks in capability chains."
}
GHSA-HR7J-63V7-VJ7G
Vulnerability from github – Published: 2026-02-17 17:15 – Updated: 2026-02-17 17:15Summary
Deleting a user account with SFTP access or changing the user's password does not immediately terminate existing SFTP sessions, allowing continued filesystem access after credentials are revoked. This can result in unintended and unauthorized access to server files even after administrators believe access has been fully invalidated.
Details
When a user with SFTP access is deleted from the Pterodactyl Panel or when the user's password is changed while one or more SFTP connections are active, those existing connections remain fully functional.
Neither account deletion nor password change invalidates the authentication state of already-established SFTP sessions. As a result, the active SFTP connection pool continues to allow read and write operations until the client disconnects or the session times out.
This behavior occurs even when the password is changed by an administrator through the panel, meaning credential rotation does not revoke active access.
This suggests that active SFTP sessions are not tracked or forcefully terminated on credential revocation events. This effectively prevents administrators from responding to credential compromise incidents in real time.
PoC
Scenario 1: Account deletion 1. Create a user with SFTP access to a server. 2. Connect to the server via SFTP using any SFTP client (e.g. sftp, FileZilla). 3. Keep the SFTP session open and active. 4. Delete the user account from the Pterodactyl Panel. 5. Continue performing file operations through the already-established SFTP connection.
Result: The SFTP session remains active and usable despite the user account being deleted.
Scenario 2: Password change 1. Create a user with SFTP access to a server. 2. Establish an active SFTP connection. 3. Change the user's password (including via administrator panel). 4. Continue performing file operations using the existing SFTP connection.
Result: The SFTP session remains active and usable even after the password has been changed.
Impact
This issue prevents immediate revocation of compromised credentials. Vulnerability type: Access control / session invalidation issue
Impacted parties:
- Server administrators
- Hosting providers using Pterodactyl Panel
Security impact:
Deleted users may retain filesystem access longer than intended, which can lead to:
- Unauthorized data access
- Data modification or deletion
- Compliance and security policy violations
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "pterodactyl/panel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/pterodactyl/wings"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-17T17:15:18Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nDeleting a user account with SFTP access or changing the user\u0027s password does not immediately terminate existing SFTP sessions, allowing continued filesystem access after credentials are revoked.\nThis can result in unintended and unauthorized access to server files even after administrators believe access has been fully invalidated.\n\n\n### Details\nWhen a user with SFTP access is deleted from the Pterodactyl Panel or when the user\u0027s password is changed while one or more SFTP connections are active, those existing connections remain fully functional.\n\nNeither account deletion nor password change invalidates the authentication state of already-established SFTP sessions. As a result, the active SFTP connection pool continues to allow read and write operations until the client disconnects or the session times out.\n\nThis behavior occurs even when the password is changed by an administrator through the panel, meaning credential rotation does not revoke active access.\n\nThis suggests that active SFTP sessions are not tracked or forcefully terminated on credential revocation events. This effectively prevents administrators from responding to credential compromise incidents in real time.\n\n\n### PoC\nScenario 1: Account deletion\n1. Create a user with SFTP access to a server.\n2. Connect to the server via SFTP using any SFTP client (e.g. sftp, FileZilla).\n3. Keep the SFTP session open and active.\n4. Delete the user account from the Pterodactyl Panel.\n5. Continue performing file operations through the already-established SFTP connection.\n\nResult:\nThe SFTP session remains active and usable despite the user account being deleted.\n\nScenario 2: Password change\n1. Create a user with SFTP access to a server.\n2. Establish an active SFTP connection.\n3. Change the user\u0027s password (including via administrator panel).\n4. Continue performing file operations using the existing SFTP connection.\n\nResult:\nThe SFTP session remains active and usable even after the password has been changed.\n\n\n### Impact\nThis issue prevents immediate revocation of compromised credentials. Vulnerability type: Access control / session invalidation issue\n\nImpacted parties:\n\n1. Server administrators\n2. Hosting providers using Pterodactyl Panel\n\nSecurity impact:\n\nDeleted users may retain filesystem access longer than intended, which can lead to:\n\n1. Unauthorized data access\n2. Data modification or deletion\n3. Compliance and security policy violations",
"id": "GHSA-hr7j-63v7-vj7g",
"modified": "2026-02-17T17:15:19Z",
"published": "2026-02-17T17:15:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-hr7j-63v7-vj7g"
},
{
"type": "WEB",
"url": "https://github.com/pterodactyl/panel/commit/0e74f3aadec89405751ec602c77fc1d030a417c0"
},
{
"type": "PACKAGE",
"url": "https://github.com/pterodactyl/panel"
},
{
"type": "WEB",
"url": "https://github.com/pterodactyl/panel/releases/tag/v1.12.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Pterodactyl Panel\u0027s SFTP sessions remain active after user account deletion or password change"
}
GHSA-HV2J-4G9F-CHQP
Vulnerability from github – Published: 2025-06-26 21:31 – Updated: 2025-07-17 15:32MICROSENS NMP Web+ contain JSON Web Tokens (JWT) that do not expire, which could allow an attacker to gain access to the system.
{
"affected": [],
"aliases": [
"CVE-2025-49152"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-25T17:15:38Z",
"severity": "HIGH"
},
"details": "MICROSENS NMP Web+\u00a0contain JSON Web Tokens (JWT) that do not expire, which could allow an attacker to gain access to the system.",
"id": "GHSA-hv2j-4g9f-chqp",
"modified": "2025-07-17T15:32:09Z",
"published": "2025-06-26T21:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49152"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-07"
},
{
"type": "WEB",
"url": "https://www.microsens.com/support/downloads/nmp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HVM9-WC8J-MGRC
Vulnerability from github – Published: 2024-12-18 18:19 – Updated: 2024-12-18 18:19Impact
An issue with the way OTAPI manages client connections results in stale UUIDs remaining on RemoteClient instances after a player disconnects.
Because of this, if the following conditions are met a player may assume the login state of a previously connected player:
1. The server has UUID login enabled
2. An authenticated player disconnects
3. A subsequent player connects with a modified client that does not send the ClientUUID#68 packet during connection
4. The server assigns the same RemoteClient object that belonged to the originally authenticated player to the newly connected player
Patches
TShock 5.2.1 hotfixes this issue. A more robust fix will be made to OTAPI itself.
Workarounds
Implement a RemoteClient reset event handler in a plugin like so:
public override void Initialize()
{
On.Terraria.RemoteClient.Reset += RemoteClient_Reset;
}
private static void RemoteClient_Reset(On.Terraria.RemoteClient.orig_Reset orig, RemoteClient client)
{
client.ClientUUID = null;
orig(client);
}
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "TShock"
},
"ranges": [
{
"events": [
{
"introduced": "4.3.21"
},
{
"fixed": "5.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-305",
"CWE-613",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2024-12-18T18:19:12Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nAn issue with the way OTAPI manages client connections results in stale UUIDs remaining on `RemoteClient` instances after a player disconnects.\n\nBecause of this, if the following conditions are met a player may assume the login state of a previously connected player:\n1. The server has UUID login enabled\n2. An authenticated player disconnects\n3. A subsequent player connects with a modified client that does not send the `ClientUUID#68` packet during connection\n4. The server assigns the same `RemoteClient` object that belonged to the originally authenticated player to the newly connected player\n\n\n### Patches\nTShock 5.2.1 hotfixes this issue. A more robust fix will be made to OTAPI itself.\n\n### Workarounds\nImplement a RemoteClient reset event handler in a plugin like so:\n```csharp\npublic override void Initialize()\n{\n On.Terraria.RemoteClient.Reset += RemoteClient_Reset;\n}\n\nprivate static void RemoteClient_Reset(On.Terraria.RemoteClient.orig_Reset orig, RemoteClient client)\n{\n\tclient.ClientUUID = null;\n orig(client);\n}\n```\n\n",
"id": "GHSA-hvm9-wc8j-mgrc",
"modified": "2024-12-18T18:19:12Z",
"published": "2024-12-18T18:19:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Pryaxis/TShock/security/advisories/GHSA-hvm9-wc8j-mgrc"
},
{
"type": "WEB",
"url": "https://github.com/Pryaxis/TShock/commit/5075997264b48e27960e3446a948ecb0ea0f5a03"
},
{
"type": "PACKAGE",
"url": "https://github.com/Pryaxis/TShock"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "TShock Security Escalation Exploit"
}
Mitigation
Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.