Common Weakness Enumeration

CWE-613

Allowed-with-Review

Insufficient Session Expiration

Abstraction: Base · Status: Incomplete

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

875 vulnerabilities reference this CWE, most recent first.

GHSA-P38C-8PG2-FQX5

Vulnerability from github – Published: 2024-07-30 18:32 – Updated: 2024-07-30 18:32
VLAI
Details

IBM Aspera Orchestrator 4.0.1 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 248477.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-26288"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-30T17:15:11Z",
    "severity": "MODERATE"
  },
  "details": "IBM Aspera Orchestrator 4.0.1 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system.  IBM X-Force ID:  248477.",
  "id": "GHSA-p38c-8pg2-fqx5",
  "modified": "2024-07-30T18:32:06Z",
  "published": "2024-07-30T18:32:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26288"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/248477"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7161538"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P437-2C77-84P4

Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-05-24 22:28
VLAI
Details

In ArangoDB, versions v3.7.6 through v3.8.3 are vulnerable to Insufficient Session Expiration. When a user’s password is changed by the administrator, the session isn’t invalidated, allowing a malicious user to still be logged in and perform arbitrary actions within the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25940"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-16T10:15:00Z",
    "severity": "HIGH"
  },
  "details": "In ArangoDB, versions v3.7.6 through v3.8.3 are vulnerable to Insufficient Session Expiration. When a user\u2019s password is changed by the administrator, the session isn\u2019t invalidated, allowing a malicious user to still be logged in and perform arbitrary actions within the system.",
  "id": "GHSA-p437-2c77-84p4",
  "modified": "2022-05-24T22:28:49Z",
  "published": "2022-05-24T22:28:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25940"
    },
    {
      "type": "WEB",
      "url": "https://github.com/arangodb/arangodb/commit/e9c6ee9dcca7b9b4fbcd02a0b323d205bee838d3"
    },
    {
      "type": "WEB",
      "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25940"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-P45M-MV49-39FW

Vulnerability from github – Published: 2023-02-11 03:32 – Updated: 2023-02-21 18:30
VLAI
Details

SupportAssist for Home PCs (versions 3.11.4 and prior) contain an insufficient session expiration Vulnerability. An authenticated non-admin user can be able to obtain the refresh token and that leads to reuse the access token and fetch sensitive information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34392"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-11T01:23:00Z",
    "severity": "MODERATE"
  },
  "details": "SupportAssist for Home PCs (versions 3.11.4 and prior) contain an insufficient session expiration Vulnerability. An authenticated non-admin user can be able to obtain the refresh token and that leads to reuse the access token and fetch sensitive information.",
  "id": "GHSA-p45m-mv49-39fw",
  "modified": "2023-02-21T18:30:24Z",
  "published": "2023-02-11T03:32:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34392"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/000204114"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P523-JRPH-QJC6

Vulnerability from github – Published: 2022-01-06 23:49 – Updated: 2022-01-06 20:17
VLAI
Summary
Insufficient Session Expiration in shopware
Details

Impact

Automatically invalidate sessions upon password change

Patches

We recommend updating to the current version 5.7.7. You can get the update to 5.7.7 regularly via the Auto-Updater or directly via the download overview.

For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html

References

https://docs.shopware.com/en/shopware-5-en/securityupdates/security-update-01-2022

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "shopware/shopware"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.7.3"
            },
            {
              "fixed": "5.7.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21652"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-06T20:17:22Z",
    "nvd_published_at": "2022-01-05T20:15:00Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nAutomatically invalidate sessions upon password change\n\n### Patches\n\nWe recommend updating to the current version 5.7.7. You can get the update to 5.7.7 regularly via the Auto-Updater or directly via the download overview.\n\nFor older versions you can use the Security Plugin:\nhttps://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html\n\n### References\n\nhttps://docs.shopware.com/en/shopware-5-en/securityupdates/security-update-01-2022\n",
  "id": "GHSA-p523-jrph-qjc6",
  "modified": "2022-01-06T20:17:22Z",
  "published": "2022-01-06T23:49:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/shopware/shopware/security/advisories/GHSA-p523-jrph-qjc6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21652"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shopware/shopware/commit/47ebd126a94f4b019b6fde64c0df3d18d74ef7d0"
    },
    {
      "type": "WEB",
      "url": "https://docs.shopware.com/en/shopware-5-en/securityupdates/security-update-01-2022"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/shopware/shopware"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insufficient Session Expiration in shopware"
}

GHSA-P594-WH4R-V877

Vulnerability from github – Published: 2024-03-14 15:34 – Updated: 2024-03-14 15:34
VLAI
Details

Insufficient session timeout vulnerability in the FAST3686 V2 Vodafone router from Sagemcom. This vulnerability could allow a local attacker to access the administration panel without requiring login credentials. This vulnerability is possible because the 'Login.asp and logout.asp' files do not handle session details correctly.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-1623"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-14T13:15:53Z",
    "severity": "HIGH"
  },
  "details": "Insufficient session timeout vulnerability in the FAST3686 V2 Vodafone router from Sagemcom. This vulnerability could allow a local attacker to access the administration panel without requiring login credentials. This vulnerability is possible because the \u0027Login.asp and logout.asp\u0027 files do not handle session details correctly.",
  "id": "GHSA-p594-wh4r-v877",
  "modified": "2024-03-14T15:34:06Z",
  "published": "2024-03-14T15:34:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1623"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/insufficient-session-timeout-vulnerability-sagemcom-router"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P68J-Q8J9-JWF5

Vulnerability from github – Published: 2026-06-13 00:34 – Updated: 2026-06-13 00:34
VLAI
Details

OpenClaw before 2026.4.22 contains a webhook secret revocation bypass vulnerability allowing callers with old Slack and Zalo webhook secrets to remain active after secrets.reload. Attackers can exploit the stale-secret window to deliver webhook events after operator-expected secret revocation, potentially accepting previous credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-53830"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-12T22:16:54Z",
    "severity": "MODERATE"
  },
  "details": "OpenClaw before 2026.4.22 contains a webhook secret revocation bypass vulnerability allowing callers with old Slack and Zalo webhook secrets to remain active after secrets.reload. Attackers can exploit the stale-secret window to deliver webhook events after operator-expected secret revocation, potentially accepting previous credentials.",
  "id": "GHSA-p68j-q8j9-jwf5",
  "modified": "2026-06-13T00:34:32Z",
  "published": "2026-06-13T00:34:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-275c-xpvc-jgfw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53830"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-webhook-secret-revocation-bypass-via-secrets-reload"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-P7MX-FRQJ-J9HQ

Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36
VLAI
Details

Exploitation of session variables, resource IDs and other trusted credentials vulnerability in the web interface in McAfee Network Security Management (NSM) before 8.2.7.42.2 allows remote attackers to exploit or harm a user's browser via reusing the exposed session token in the application URL.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-3966"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-04T13:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Exploitation of session variables, resource IDs and other trusted credentials vulnerability in the web interface in McAfee Network Security Management (NSM) before 8.2.7.42.2 allows remote attackers to exploit or harm a user\u0027s browser via reusing the exposed session token in the application URL.",
  "id": "GHSA-p7mx-frqj-j9hq",
  "modified": "2022-05-13T01:36:40Z",
  "published": "2022-05-13T01:36:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3966"
    },
    {
      "type": "WEB",
      "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10192"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PC62-V6R5-973X

Vulnerability from github – Published: 2025-12-31 00:31 – Updated: 2025-12-31 00:31
VLAI
Details

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain an insufficient session expiration vulnerability that allows attackers to reuse old session credentials. Attackers can exploit weak session management to potentially hijack active user sessions and gain unauthorized access to the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50692"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-30T23:15:44Z",
    "severity": "MODERATE"
  },
  "details": "SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain an insufficient session expiration vulnerability that allows attackers to reuse old session credentials. Attackers can exploit weak session management to potentially hijack active user sessions and gain unauthorized access to the application.",
  "id": "GHSA-pc62-v6r5-973x",
  "modified": "2025-12-31T00:31:10Z",
  "published": "2025-12-31T00:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50692"
    },
    {
      "type": "WEB",
      "url": "https://cxsecurity.com/issue/WLB-2022120030"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/247956"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/files/170251/SOUND4-IMPACT-FIRST-PULSE-Eco-2.x-Insufficient-Session-Expiration.html"
    },
    {
      "type": "WEB",
      "url": "https://www.sound4.com"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/sound-impactfirstpulseeco-x-insufficient-session-expiration-vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5724.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-PF92-7X8P-6X5M

Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-05-24 17:44
VLAI
Details

A vulnerability was found in the Quay web application. Sessions in the Quay web application never expire. An attacker, able to gain access to a session, could use it to control or delete a user's container repository. Red Hat Quay 2 and 3 are vulnerable to this issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-3867"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-18T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in the Quay web application. Sessions in the Quay web application never expire. An attacker, able to gain access to a session, could use it to control or delete a user\u0027s container repository. Red Hat Quay 2 and 3 are vulnerable to this issue.",
  "id": "GHSA-pf92-7x8p-6x5m",
  "modified": "2022-05-24T17:44:46Z",
  "published": "2022-05-24T17:44:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3867"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1772704"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-PGPR-4M7F-52MM

Vulnerability from github – Published: 2022-01-14 00:02 – Updated: 2022-02-03 00:00
VLAI
Details

In Mattermost Focalboard, versions prior to v0.7.5, v0.8.4, v0.9.5, v0.10.1 and v0.11.0-rc1; as used respectively in Mattermost, versions prior to v5.37.6, v5.39.3, v6.0.4, v6.1.1 and v6.2.0, are vulnerable to Insufficient Session Expiration. When a user initiates a logout, their session is not invalidated properly. In addition, user sessions are stored in the browser’s local storage, which by default does not have an expiration time. This makes it possible for an attacker to steal and reuse the cookies using techniques such as XSS attacks, to completely take over a victim account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22122"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-13T17:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "In Mattermost Focalboard, versions prior to v0.7.5, v0.8.4, v0.9.5, v0.10.1 and v0.11.0-rc1; as used respectively in Mattermost, versions prior to v5.37.6, v5.39.3, v6.0.4, v6.1.1 and v6.2.0, are vulnerable to Insufficient Session Expiration. When a user initiates a logout, their session is not invalidated properly. In addition, user sessions are stored in the browser\u2019s local storage, which by default does not have an expiration time. This makes it possible for an attacker to steal and reuse the cookies using techniques such as XSS attacks, to completely take over a victim account.",
  "id": "GHSA-pgpr-4m7f-52mm",
  "modified": "2022-02-03T00:00:50Z",
  "published": "2022-01-14T00:02:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22122"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/focalboard/commit/0142c114e9325722d6c8e8ca00f10f0f34dd0409"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/focalboard/commit/0ebc9a4be110764a2510bf886531f21e21b079ea"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/focalboard/commit/2f08c6782762e58e008bd50f3892cb1cdd1be539"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/focalboard/commit/6104de5ba51f79d749b9d5406fde5c2983fc5c5c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/focalboard/commit/87f4dd224c8736778a8f23788a92471b11da9061"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/focalboard/commit/a2fab2c1d9b3f61871f6da4dc434a2b19ca9552c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/mattermost-server/commit/0a042ca05fefa0584045bab1b7dae102360c98c5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/mattermost-server/commit/5f7fd34956ad5bf7e3697a920e377e11c16dda06"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/mattermost-server/commit/6a4c881450973284c3ed98f39bde4809ddd8a758"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/mattermost-server/commit/74e87ec3e623202a9654ae164e834cfe26dd6ec3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/mattermost-server/commit/7bc182de9eebb708d62b828213144a1aa4560fa0"
    },
    {
      "type": "WEB",
      "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22122"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Implementation

Set sessions/credentials expiration date.

No CAPEC attack patterns related to this CWE.