CWE-613
Allowed-with-ReviewInsufficient Session Expiration
Abstraction: Base · Status: Incomplete
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
875 vulnerabilities reference this CWE, most recent first.
GHSA-J8HM-JP32-F55J
Vulnerability from github – Published: 2022-06-21 00:00 – Updated: 2022-06-29 00:00IBM Curam Social Program Management 8.0.0 and 8.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.
{
"affected": [],
"aliases": [
"CVE-2022-22318"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-20T17:15:00Z",
"severity": "CRITICAL"
},
"details": "IBM Curam Social Program Management 8.0.0 and 8.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.",
"id": "GHSA-j8hm-jp32-f55j",
"modified": "2022-06-29T00:00:57Z",
"published": "2022-06-21T00:00:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22318"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/218283"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6596049"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J8QV-C9RP-9GQJ
Vulnerability from github – Published: 2022-05-13 01:06 – Updated: 2022-05-13 01:06On Arris Touchstone Telephony Gateway TG1682G 9.1.103J6 devices, a logout action does not immediately destroy all state on the device related to the validity of the "credential" cookie, which might make it easier for attackers to obtain access at a later time (e.g., "at least for a few minutes"). NOTE: there is no documentation stating that the web UI's logout feature was supposed to do anything beyond removing the cookie from one instance of a web browser; a client-side logout action is often not intended to address cases where a person has made a copy of a cookie outside of a browser.
{
"affected": [],
"aliases": [
"CVE-2018-10990"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-05-14T14:29:00Z",
"severity": "HIGH"
},
"details": "On Arris Touchstone Telephony Gateway TG1682G 9.1.103J6 devices, a logout action does not immediately destroy all state on the device related to the validity of the \"credential\" cookie, which might make it easier for attackers to obtain access at a later time (e.g., \"at least for a few minutes\"). NOTE: there is no documentation stating that the web UI\u0027s logout feature was supposed to do anything beyond removing the cookie from one instance of a web browser; a client-side logout action is often not intended to address cases where a person has made a copy of a cookie outside of a browser.",
"id": "GHSA-j8qv-c9rp-9gqj",
"modified": "2022-05-13T01:06:01Z",
"published": "2022-05-13T01:06:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10990"
},
{
"type": "WEB",
"url": "https://medium.com/@AkshaySharmaUS/comcast-arris-touchstone-gateway-devices-are-vulnerable-heres-the-disclosure-7d603aa9342c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JCGV-XJW5-6WP4
Vulnerability from github – Published: 2025-01-04 03:33 – Updated: 2025-01-06 18:31An issue was discovered in Optimizely Configured Commerce before 5.2.2408. A medium-severity session issue exists in the Commerce B2B application, affecting the longevity of active sessions in the storefront. This allows session tokens tied to logged-out sessions to still be active and usable.
{
"affected": [],
"aliases": [
"CVE-2025-22386"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-04T02:15:07Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Optimizely Configured Commerce before 5.2.2408. A medium-severity session issue exists in the Commerce B2B application, affecting the longevity of active sessions in the storefront. This allows session tokens tied to logged-out sessions to still be active and usable.",
"id": "GHSA-jcgv-xjw5-6wp4",
"modified": "2025-01-06T18:31:02Z",
"published": "2025-01-04T03:33:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22386"
},
{
"type": "WEB",
"url": "https://support.optimizely.com/hc/en-us/articles/32695284701069-Configured-Commerce-Security-Advisory-COM-2024-04"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JCJX-C3J3-44PR
Vulnerability from github – Published: 2021-11-10 16:44 – Updated: 2021-11-08 21:09Impact
A bug introduced in version 1.1.0 made Tokenize generate faulty tokens with NaN as a generation date. As a result, tokens would not properly expire and remain valid regardless of the lastTokenReset field.
Patches
Version 1.1.3 contains a patch that'll invalidate these faulty tokens and make new ones behave as expected.
Workarounds
None. Tokens do not hold the necessary information to perform invalidation anymore.
References
PR #1
For more information
If you have any questions or comments about this advisory: * Open an issue in github.com/cyyynthia/tokenize * Email us at cynthia@cynthia.dev
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@cyyynthia/tokenize"
},
"ranges": [
{
"events": [
{
"introduced": "1.1.0"
},
{
"fixed": "1.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2021-11-08T21:09:02Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nA bug introduced in version 1.1.0 made Tokenize generate faulty tokens with NaN as a generation date. As a result, tokens would not properly expire and remain valid regardless of the `lastTokenReset` field.\n\n### Patches\nVersion 1.1.3 contains a patch that\u0027ll invalidate these faulty tokens and make new ones behave as expected.\n\n### Workarounds\nNone. Tokens do not hold the necessary information to perform invalidation anymore.\n\n### References\nPR #1\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [github.com/cyyynthia/tokenize](https://github.com/cyyynthia/tokenize)\n* Email us at [cynthia@cynthia.dev](mailto:cynthia@cynthia.dev)\n",
"id": "GHSA-jcjx-c3j3-44pr",
"modified": "2021-11-08T21:09:02Z",
"published": "2021-11-10T16:44:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/cyyynthia/tokenize/security/advisories/GHSA-jcjx-c3j3-44pr"
},
{
"type": "PACKAGE",
"url": "https://github.com/cyyynthia/tokenize"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Insufficient Session Expiration in @cyyynthia/tokenize"
}
GHSA-JG95-R9XH-XW9C
Vulnerability from github – Published: 2024-08-23 21:30 – Updated: 2025-10-13 15:45Guest users in the Mage AI framework that remain logged in after their accounts are deleted, are mistakenly given high privileges and specifically given access to remotely execute arbitrary code through the Mage AI terminal server.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "mage-ai"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.9.73"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-45187"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-23T22:51:28Z",
"nvd_published_at": "2024-08-23T19:15:07Z",
"severity": "MODERATE"
},
"details": "Guest users in the Mage AI framework that remain logged in after their accounts are deleted, are mistakenly given high privileges and specifically given access to remotely execute arbitrary code through the Mage AI terminal server.",
"id": "GHSA-jg95-r9xh-xw9c",
"modified": "2025-10-13T15:45:48Z",
"published": "2024-08-23T21:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45187"
},
{
"type": "PACKAGE",
"url": "https://github.com/mage-ai/mage-ai"
},
{
"type": "WEB",
"url": "https://research.jfrog.com/vulnerabilities/mage-ai-deleted-users-rce-jfsa-2024-001039602"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Mage AI incorrectly gives privileges to users with deleted accounts"
}
GHSA-JG98-XFVF-7PVV
Vulnerability from github – Published: 2021-12-30 00:00 – Updated: 2022-01-12 00:02An issue was discovered in Stormshield Network Security (SNS) 4.2.2 through 4.2.7 (fixed in 4.2.8). Under a specific update-migration scenario, the first SSH password change does not properly clear the old password.
{
"affected": [],
"aliases": [
"CVE-2021-45885"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-29T17:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Stormshield Network Security (SNS) 4.2.2 through 4.2.7 (fixed in 4.2.8). Under a specific update-migration scenario, the first SSH password change does not properly clear the old password.",
"id": "GHSA-jg98-xfvf-7pvv",
"modified": "2022-01-12T00:02:13Z",
"published": "2021-12-30T00:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45885"
},
{
"type": "WEB",
"url": "https://advisories.stormshield.eu"
},
{
"type": "WEB",
"url": "https://advisories.stormshield.eu/2021-069"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-JJX8-FGCM-MHJX
Vulnerability from github – Published: 2024-10-07 18:31 – Updated: 2024-11-05 00:31IoT Haat Smart Plug IH-IN-16A-S IH-IN-16A-S v5.16.1 suffers from Insufficient Session Expiration. The lack of validation of the authentication token at the IoT Haat during the Access Point Pairing mode leads the attacker to replay the Wi-Fi packets and forcefully turn off the access point after the authentication token has expired.
{
"affected": [],
"aliases": [
"CVE-2024-46040"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-07T16:15:05Z",
"severity": "MODERATE"
},
"details": "IoT Haat Smart Plug IH-IN-16A-S IH-IN-16A-S v5.16.1 suffers from Insufficient Session Expiration. The lack of validation of the authentication token at the IoT Haat during the Access Point Pairing mode leads the attacker to replay the Wi-Fi packets and forcefully turn off the access point after the authentication token has expired.",
"id": "GHSA-jjx8-fgcm-mhjx",
"modified": "2024-11-05T00:31:27Z",
"published": "2024-10-07T18:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46040"
},
{
"type": "WEB",
"url": "https://github.com/Anonymous120386/Anonymous"
},
{
"type": "WEB",
"url": "https://www.iothaat.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JM72-67RM-763J
Vulnerability from github – Published: 2022-04-21 01:54 – Updated: 2025-06-09 17:48An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login as them.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.24.4"
},
"package": {
"ecosystem": "Packagist",
"name": "mantisbt/mantisbt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.24.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2009-20001"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-28T23:02:24Z",
"nvd_published_at": "2021-03-07T20:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user\u0027s cookie to login as them.",
"id": "GHSA-jm72-67rm-763j",
"modified": "2025-06-09T17:48:33Z",
"published": "2022-04-21T01:54:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2009-20001"
},
{
"type": "WEB",
"url": "https://github.com/mantisbt/mantisbt/commit/79a78c09d5ef5ce098adc73f6f1416f00fc238a5"
},
{
"type": "PACKAGE",
"url": "https://github.com/mantisbt/mantisbt"
},
{
"type": "WEB",
"url": "https://mantisbt.org/bugs/view.php?id=11296"
},
{
"type": "WEB",
"url": "https://mantisbt.org/bugs/view.php?id=27976"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "MantisBT Insufficient Session Expiration cookie string not reset after logout"
}
GHSA-JP3H-X882-5CRH
Vulnerability from github – Published: 2022-07-13 00:01 – Updated: 2022-07-16 00:00A vulnerability has been identified in SIMATIC MV540 H (All versions < V3.3), SIMATIC MV540 S (All versions < V3.3), SIMATIC MV550 H (All versions < V3.3), SIMATIC MV550 S (All versions < V3.3), SIMATIC MV560 U (All versions < V3.3), SIMATIC MV560 X (All versions < V3.3). The web session management of affected devices does not invalidate session ids in certain logout scenarios. This could allow an authenticated remote attacker to hijack other users' sessions.
{
"affected": [],
"aliases": [
"CVE-2022-33137"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-12T10:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in SIMATIC MV540 H (All versions \u003c V3.3), SIMATIC MV540 S (All versions \u003c V3.3), SIMATIC MV550 H (All versions \u003c V3.3), SIMATIC MV550 S (All versions \u003c V3.3), SIMATIC MV560 U (All versions \u003c V3.3), SIMATIC MV560 X (All versions \u003c V3.3). The web session management of affected devices does not invalidate session ids in certain logout scenarios. This could allow an authenticated remote attacker to hijack other users\u0027 sessions.",
"id": "GHSA-jp3h-x882-5crh",
"modified": "2022-07-16T00:00:23Z",
"published": "2022-07-13T00:01:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33137"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-348662.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JP9R-HWVP-X6C8
Vulnerability from github – Published: 2026-03-02 03:30 – Updated: 2026-03-02 03:30A weakness has been identified in SourceCodester Web-based Pharmacy Product Management System 1.0. This affects an unknown part. This manipulation causes session expiration. Remote exploitation of the attack is possible. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit has been made available to the public and could be used for attacks.
{
"affected": [],
"aliases": [
"CVE-2026-3401"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-02T01:16:02Z",
"severity": "LOW"
},
"details": "A weakness has been identified in SourceCodester Web-based Pharmacy Product Management System 1.0. This affects an unknown part. This manipulation causes session expiration. Remote exploitation of the attack is possible. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit has been made available to the public and could be used for attacks.",
"id": "GHSA-jp9r-hwvp-x6c8",
"modified": "2026-03-02T03:30:20Z",
"published": "2026-03-02T03:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3401"
},
{
"type": "WEB",
"url": "https://github.com/hiranerakkot/Web-based-Pharmacy-Product-Management-System/blob/main/README.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.348296"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.348296"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.762795"
},
{
"type": "WEB",
"url": "https://www.sourcecodester.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.