CWE-613— Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."— MITRE CWE catalog
531 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-613page 4 of 11
- CVE-2021-37866MEDIUMCVSS 4.7EG 4.72022-01-18
Mattermost Boards plugin v0.10.0 and earlier fails to invalidate a session on the server-side when a user logged out of Boards, which allows an attacker to reuse old session token for authorization.
- CVE-2021-3844MEDIUMCVSS 5.7EG 5.42023-03-24
Rapid7 InsightVM suffers from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unre…
- CVE-2021-38823CRITICALCVSS 9.8EG 9.82021-10-04
The IceHrm 30.0.0 OS website was found vulnerable to Session Management Issue. A signout from an admin account does not invalidate an admin session that is opened in a different browser.
- CVE-2021-38986MEDIUMCVSS 5.4EG 5.42022-03-01
IBM MQ Appliance 9.2 CD and 9.2 LTS does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 212942.
- CVE-2021-39113HIGHCVSS 7.5EG 7.52021-08-30
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected …
- CVE-2021-40849CRITICALCVSS 9.8EG 9.82021-11-03
In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, the account associated with a web services token is vulnerable to being exploited and logged into, resulting in information disclosure (at a minimum) and often escalation of privileg…
- CVE-2021-41100HIGHCVSS 7.4EG 7.42021-10-04
Wire-server is the backing server for the open source wire secure messaging application. In affected versions it is possible to trigger email address change of a user with only the short-lived session token in the `Authorization` header. A…
- CVE-2021-41247LOWCVSS 3.5EG 3.52021-11-04
JupyterHub is an open source multi-user server for Jupyter notebooks. In affected versions users who have multiple JupyterLab tabs open in the same browser session, may see incomplete logout from the single-user server, as fresh credential…
- CVE-2021-42545HIGHCVSS 8.1EG 8.12021-11-30
An insufficient session expiration vulnerability exists in Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27, which allows a remote attacker to reuse, spoof, or steal other user and admin sessions.
- CVE-2021-43791MEDIUMCVSS 6.5EG 6.52021-12-02
Zulip is an open source group chat application that combines real-time chat with threaded conversations. In affected versions expiration dates on the confirmation objects associated with email invitations were not enforced properly in the …
- CVE-2021-45885HIGHCVSS 7.5EG 7.52021-12-29
An issue was discovered in Stormshield Network Security (SNS) 4.2.2 through 4.2.7 (fixed in 4.2.8). Under a specific update-migration scenario, the first SSH password change does not properly clear the old password.
- CVE-2021-46279MEDIUMCVSS 5.8EG 9.82022-10-24
Session fixation and insufficient session expiration vulnerabilities allow an attacker to perfom session hijacking attacks against users. This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0.
- CVE-2021-47663HIGHCVSS 8.1EG 8.12025-04-24
Due to improper JSON Web Tokens implementation an unauthenticated remote attacker can guess a valid session ID and therefore impersonate a user to gain full access.
- CVE-2021-47740HIGHCVSS 7.5EG 7.52025-12-31
KZTech JT3500V 4G LTE CPE 2.0.1 contains a session management vulnerability that allows attackers to reuse old session credentials without proper expiration. Attackers can exploit the weak session handling to maintain unauthorized access a…
- CVE-2022-0991HIGHCVSS 7.1EG 7.12022-03-19
Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.1.9.
- CVE-2022-0996MEDIUMCVSS 6.5EG 7.52022-03-23
A vulnerability was found in the 389 Directory Server that allows expired passwords to access the database to cause improper authentication.
- CVE-2022-2064HIGHCVSS 8.8EG 8.82022-06-13
Insufficient Session Expiration in GitHub repository nocodb/nocodb prior to 0.91.7+.
- CVE-2022-21652LOWCVSS 3.5EG 3.52022-01-05
Shopware is an open source e-commerce software platform. In affected versions shopware would not invalidate a user session in the event of a password change. With version 5.7.7 the session validation was adjusted, so that sessions created …
- CVE-2022-22113HIGHCVSS 8.8EG 8.82022-01-13
In DayByDay CRM, versions 2.2.0 through 2.2.1 (latest) are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the…
- CVE-2022-22283LOWCVSS 2.8EG 2.82022-01-10
Improper session management vulnerability in Samsung Health prior to 6.20.1.005 prevents logging out from Samsung Health App.
- CVE-2022-22317CRITICALCVSS 9.8EG 9.82022-06-20
IBM Curam Social Program Management 8.0.0 and 8.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 218281.
- CVE-2022-22318CRITICALCVSS 9.8EG 9.82022-06-20
IBM Curam Social Program Management 8.0.0 and 8.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.
- CVE-2022-22371MEDIUMCVSS 5.5EG 6.52023-01-05
IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 221195.
- CVE-2022-2306HIGHCVSS 7.5EG 7.52022-07-05
Old session tokens can be used to authenticate to the application and send authenticated requests.
- CVE-2022-23063HIGHCVSS 8.8EG 8.82022-05-03
In Shopizer versions 2.3.0 to 3.0.1 are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even a…
- CVE-2022-23502MEDIUMCVSS 5.4EG 5.42022-12-14
TYPO3 is an open source PHP based web content management system. In versions prior to 10.4.33, 11.5.20, and 12.1.1, When users reset their password using the corresponding password recovery functionality, existing sessions for that particu…
- CVE-2022-23669HIGHCVSS 8.8EG 8.82022-05-17
A remote authorization bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that a…
- CVE-2022-24042CRITICALCVSS 9.1EG 9.12022-05-10
A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The web …
- CVE-2022-24332MEDIUMCVSS 5.3EG 5.32022-02-25
In JetBrains TeamCity before 2021.2, a logout action didn't remove a Remember Me cookie.
- CVE-2022-24341HIGHCVSS 7.5EG 7.52022-02-25
In JetBrains TeamCity before 2021.2.1, editing a user account to change its password didn't terminate sessions of the edited user.
- CVE-2022-24732MEDIUMCVSS 6.3EG 6.32022-03-09
Maddy Mail Server is an open source SMTP compatible email server. Versions of maddy prior to 0.5.4 do not implement password expiry or account expiry checking when authenticating using PAM. Users are advised to upgrade. Users unable to upg…
- CVE-2022-24743HIGHCVSS 7.1EG 7.12022-03-14
Sylius is an open source eCommerce platform. Prior to versions 1.10.11 and 1.11.2, the reset password token was not set to null after the password was changed. The same token could be used several times, which could result in leak of the e…
- CVE-2022-24744LOWCVSS 2.6EG 2.62022-03-09
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions user sessions are not logged out if the password is reset via password recovery. This issue has been resolved i…
- CVE-2022-24895MEDIUMCVSS 6.3EG 6.32023-02-03
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because thi…
- CVE-2022-25590MEDIUMCVSS 6.5EG 6.52022-03-25
SurveyKing v0.2.0 was discovered to retain users' session cookies after logout, allowing attackers to login to the system and access data using the browser cache when the user exits the application.
- CVE-2022-2713CRITICALCVSS 9.8EG 9.82022-08-08
Insufficient Session Expiration in GitHub repository cockpit-hq/cockpit prior to 2.2.0.
- CVE-2022-2782CRITICALCVSS 9.1EG 9.12022-10-27
In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters.
- CVE-2022-2783MEDIUMCVSS 5.3EG 5.32022-10-06
In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token
- CVE-2022-2820HIGHCVSS 7.0EG 8.22022-08-15
Session Fixation in GitHub repository namelessmc/nameless prior to v2.0.2.
- CVE-2022-2888MEDIUMCVSS 4.4EG 4.42022-09-21
If an attacker comes into the possession of a victim's OctoPrint session cookie through whatever means, the attacker can use this cookie to authenticate as long as the victim's account exists.
- CVE-2022-30277MEDIUMCVSS 5.7EG 5.72022-06-02
BD Synapsys™, versions 4.20, 4.20 SR1, and 4.30, contain an insufficient session expiration vulnerability. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health i…
- CVE-2022-30698MEDIUMCVSS 6.5EG 6.52022-08-01
NLnet Labs Unbound, up to and including version 1.16.1 is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a subdomain of a rogue domain name. T…
- CVE-2022-30699MEDIUMCVSS 6.5EG 6.52022-08-01
NLnet Labs Unbound, up to and including version 1.16.1, is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a rogue domain name when the cached …
- CVE-2022-3080HIGHCVSS 7.5EG 7.52022-09-21
By sending specific queries to the resolver, an attacker can cause named to crash.
- CVE-2022-31050MEDIUMCVSS 6.0EG 6.02022-06-14
TYPO3 is an open source web content management system. Prior to versions 9.5.34 ELTS, 10.4.29, and 11.5.11, Admin Tool sessions initiated via the TYPO3 backend user interface had not been revoked even if the corresponding user account was …
- CVE-2022-31145MEDIUMCVSS 6.5EG 6.52022-07-13
FlyteAdmin is the control plane for Flyte responsible for managing entities and administering workflow executions. In versions 1.1.30 and prior, authenticated users using an external identity provider can continue to use Access Tokens and …
- CVE-2022-31677MEDIUMCVSS 5.4EG 5.42022-08-29
An Insufficient Session Expiration issue was discovered in the Pinniped Supervisor (before v0.19.0). A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially use their access token to continue their sessio…
- CVE-2022-32759MEDIUMCVSS 5.3EG 5.32024-07-25
IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 uses insufficient session expiration which could allow an unauthorized user to obtain sensitive information. IBM X-Force ID: 228565.
- CVE-2022-33137HIGHCVSS 8.0EG 8.02022-07-12
A vulnerability has been identified in SIMATIC MV540 H (All versions < V3.3), SIMATIC MV540 S (All versions < V3.3), SIMATIC MV550 H (All versions < V3.3), SIMATIC MV550 S (All versions < V3.3), SIMATIC MV560 U (All versions < V3.3), SIMAT…
- CVE-2022-3362CRITICALCVSS 9.8EG 9.82022-11-14
Insufficient Session Expiration in GitHub repository ikus060/rdiffweb prior to 2.5.0.
Map vulnerabilities like CWE-613 to your infrastructure
EchelonGraph correlates every CVE — across CWE-613 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →