CWE-613— Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."— MITRE CWE catalog
531 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-613page 5 of 11
- CVE-2022-34392MEDIUMCVSS 5.5EG 5.52023-02-11
SupportAssist for Home PCs (versions 3.11.4 and prior) contain an insufficient session expiration Vulnerability. An authenticated non-admin user can be able to obtain the refresh token and that leads to reuse the access token and fetch se…
- CVE-2022-34624MEDIUMCVSS 5.9EG 5.92022-08-19
Mealie1.0.0beta3 does not terminate download tokens after a user logs out, allowing attackers to perform a man-in-the-middle attack via a crafted GET request.
- CVE-2022-35728HIGHCVSS 8.1EG 9.82022-08-04
In BIG-IP Versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and all versions of 13.1.x, and BIG-IQ version 8.x before 8.2.0 and all versions of 7.x, an authenticated user's iControl RE…
- CVE-2022-36179CRITICALCVSS 9.8EG 9.82022-11-22
Fusiondirectory 1.3 suffers from Improper Session Handling.
- CVE-2022-37186MEDIUMCVSS 5.9EG 5.92023-04-16
In LemonLDAP::NG before 2.0.15. some sessions are not deleted when they are supposed to be deleted according to the timeoutActivity setting. This can occur when there are at least two servers, and a session is manually removed before the t…
- CVE-2022-38382MEDIUMCVSS 4.7EG 4.72024-08-13
IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Suite Software 1.10.12.0 through 1.10.23.0 does not invalidate session after logout which could allow another authenticated user to obtain sensitive information. …
- CVE-2022-3867LOWCVSS 2.7EG 2.72022-11-10
HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream subscribers using a token with TTL receive updates until token garbage is collected. Fixed in 1.4.2.
- CVE-2022-38707MEDIUMCVSS 4.0EG 4.02023-05-05
IBM Cognos Command Center 10.2.4.1 could allow a local attacker to obtain sensitive information due to insufficient session expiration. IBM X-Force ID: 234179.
- CVE-2022-3916MEDIUMCVSS 6.8EG 6.82023-09-20
A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root an…
- CVE-2022-39234MEDIUMCVSS 4.7EG 4.72022-11-03
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Deleted/deactivated user could continue to …
- CVE-2022-40228LOWCVSS 3.7EG 5.42022-11-22
IBM DataPower Gateway 10.0.3.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.9, 2018.4.1.0 through 2018.4.1.22, and 10.5.0.0 through 10.5.0.2 does not invalidate session after a password change which could allow an authenticated user to imp…
- CVE-2022-40230MEDIUMCVSS 6.5EG 6.52022-11-03
"IBM MQ Appliance 9.2 CD, 9.2 LTS, 9.3 CD, and LTS 9.3 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235532."
- CVE-2022-4070CRITICALCVSS 9.8EG 9.82022-11-20
Insufficient Session Expiration in GitHub repository librenms/librenms prior to 22.10.0.
- CVE-2022-41291MEDIUMCVSS 6.5EG 6.52022-10-07
IBM InfoSphere Information Server 11.7 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 236699.
- CVE-2022-41542MEDIUMCVSS 5.4EG 5.42022-10-17
devhub 0.102.0 was discovered to contain a broken session control.
- CVE-2022-41672HIGHCVSS 8.1EG 8.12022-10-07
In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API.
- CVE-2022-43844HIGHCVSS 8.8EG 8.82023-01-05
IBM Robotic Process Automation for Cloud Pak 20.12 through 21.0.3 is vulnerable to broken access control. A user is not correctly redirected to the platform log out screen when logging out of IBM RPA for Cloud Pak. IBM X-Force ID: 2390…
- CVE-2022-45862LOWCVSS 3.7EG 3.72024-08-13
An insufficient session expiration vulnerability [CWE-613] vulnerability in FortiOS 7.2.5 and below, 7.0 all versions, 6.4 all versions; FortiProxy 7.2 all versions, 7.0 all versions; FortiPAM 1.3 all versions, 1.2 all versions, 1.1 all ve…
- CVE-2022-46177MEDIUMCVSS 5.7EG 5.72023-01-05
Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 3.0.0.beta16 on the `beta` and `tests-passed` branches, when a user requests for a password reset link email, then changes their …
- CVE-2022-47406MEDIUMCVSS 5.4EG 5.42022-12-14
An issue was discovered in the fe_change_pwd (aka Change password for frontend users) extension before 2.0.5, and 3.x before 3.0.3, for TYPO3. The extension fails to revoke existing sessions for the current user when the password has been …
- CVE-2022-48317MEDIUMCVSS 5.6EG 9.82023-02-20
Expired sessions were not securely terminated in the RestAPI for Tribe29's Checkmk <= 2.1.0p10 and Checkmk <= 2.0.0p28 allowing an attacker to use expired session tokens when communicating with the RestAPI.
- CVE-2022-50692HIGHCVSS 7.5EG 7.52025-12-30
SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain an insufficient session expiration vulnerability that allows attackers to reuse old session credentials. Attackers can exploit weak session management to potentially hijack activ…
- CVE-2023-0041MEDIUMCVSS 6.3EG 6.32023-06-05
IBM Security Guardium 11.5 could allow a user to take over another user's session due to insufficient session expiration. IBM X-Force ID: 243657.
- CVE-2023-0227MEDIUMCVSS 6.5EG 6.52023-01-12
Insufficient Session Expiration in GitHub repository pyload/pyload prior to 0.5.0b3.dev36.
- CVE-2023-1543HIGHCVSS 8.8EG 8.82023-03-21
Insufficient Session Expiration in GitHub repository answerdev/answer prior to 1.0.6.
- CVE-2023-1788CRITICALCVSS 9.8EG 9.82023-04-05
Insufficient Session Expiration in GitHub repository firefly-iii/firefly-iii prior to 6.
- CVE-2023-1854MEDIUMCVSS 4.7EG 9.82023-04-05
A vulnerability, which was classified as problematic, was found in SourceCodester Online Graduate Tracer System 1.0. Affected is an unknown function of the file admin/. The manipulation leads to session expiration. It is possible to launch…
- CVE-2023-20903MEDIUMCVSS 4.3EG 4.32023-03-28
This disclosure regards a vulnerability related to UAA refresh tokens and external identity providers.Assuming that an external identity provider is linked to the UAA, a refresh token is issued to a client on behalf of a user from that ide…
- CVE-2023-22492MEDIUMCVSS 5.9EG 5.92023-01-11
ZITADEL is a combination of Auth0 and Keycloak. RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user's session without the need for interacting with a UI. RefreshTokens were not …
- CVE-2023-22591LOWCVSS 3.9EG 3.22023-03-15
IBM Robotic Process Automation 21.0.1 through 21.0.7 and 23.0.0 through 23.0.1 could allow a user with physical access to the system due to session tokens for not being invalidated after a password reset. IBM X-Force ID: 243710.
- CVE-2023-22732LOWCVSS 3.7EG 3.72023-01-17
Shopware is an open source commerce platform based on Symfony Framework and Vue js. The Administration session expiration was set to one week, when an attacker has stolen the session cookie they could use it for a long period of time. In v…
- CVE-2023-22771MEDIUMCVSS 6.8EG 2.42023-03-01
An insufficient session expiration vulnerability exists in the ArubaOS command line interface. Successful exploitation of this vulnerability allows an attacker to keep a session running on an affected device after the removal of the impact…
- CVE-2023-23614HIGHCVSS 8.8EG 8.82023-01-26
Pi-hole®'s Web interface (based off of AdminLTE) provides a central location to manage your Pi-hole. Versions 4.0 and above, prior to 5.18.3 are vulnerable to Insufficient Session Expiration. Improper use of admin WEBPASSWORD hash as "Rem…
- CVE-2023-23929HIGHCVSS 8.8EG 8.82023-03-04
vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Currently, the refresh token is valid indefinitely. The refresh token should get a validity of 24-48 hours. A fix was released in version 3.8.0…
- CVE-2023-24426HIGHCVSS 8.8EG 8.82023-01-26
Jenkins Azure AD Plugin 303.va_91ef20ee49f and earlier does not invalidate the previous session on login.
- CVE-2023-25562MEDIUMCVSS 6.9EG 6.92023-02-11
DataHub is an open-source metadata platform. In versions of DataHub prior to 0.8.45 Session cookies are only cleared on new sign-in events and not on logout events. Any authentication checks using the `AuthUtils.hasValidSessionCookie()` me…
- CVE-2023-26288MEDIUMCVSS 5.5EG 5.52024-07-30
IBM Aspera Orchestrator 4.0.1 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 248477.
- CVE-2023-2788MEDIUMCVSS 6.2EG 6.22023-06-16
Mattermost fails to check if an admin user account active after an oauth2 flow is started, allowing an attacker with admin privileges to retain persistent access to Mattermost by obtaining an oauth2 access token while the attacker's accoun…
- CVE-2023-27891HIGHCVSS 7.5EG 7.52023-03-06
rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. The fixed versions are 4.15.1, 4.16.1, and 4.17.1.
- CVE-2023-28001MEDIUMCVSS 4.1EG 4.12023-07-11
An insufficient session expiration in Fortinet FortiOS 7.0.0 - 7.0.12 and 7.2.0 - 7.2.4 allows an attacker to execute unauthorized code or commands via reusing the session of a deleted user in the REST API.
- CVE-2023-28003MEDIUMCVSS 6.7EG 6.72023-04-18
A CWE-613: Insufficient Session Expiration vulnerability exists that could allow an attacker to maintain unauthorized access over a hijacked session in PME after the legitimate user has signed out of their account.
- CVE-2023-30403HIGHCVSS 7.5EG 7.52023-05-02
An issue in the time-based authentication mechanism of Aigital Aigital Wireless-N Repeater Mini_Router v0.131229 allows attackers to bypass login by connecting to the web app after a successful attempt by a legitimate user.
- CVE-2023-31065CRITICALCVSS 9.1EG 9.12023-05-22
Insufficient Session Expiration vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0. An old session can be used by an attacker even after the user has been deleted or the…
- CVE-2023-31139MEDIUMCVSS 4.3EG 4.32023-05-09
DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.37 branch and prior to versions 2.37.9.1, 2.38.3.1, and 2.39.1.2, Personal Access Tokens (PATs) generate unrestricted se…
- CVE-2023-31140MEDIUMCVSS 4.8EG 4.82023-05-08
OpenProject is open source project management software. Starting with version 7.4.0 and prior to version 12.5.4, when a user registers and confirms their first two-factor authentication (2FA) device for an account, existing logged in sessi…
- CVE-2023-32318HIGHCVSS 7.2EG 7.22023-05-26
Nextcloud server provides a home for data. A regression in the session handling between Nextcloud Server and the Nextcloud Text app prevented a correct destruction of the session on logout if cookies were not cleared manually. After succes…
- CVE-2023-33005MEDIUMCVSS 5.4EG 8.82023-05-16
Jenkins WSO2 Oauth Plugin 1.0 and earlier does not invalidate the previous session on login.
- CVE-2023-33303HIGHCVSS 8.1EG 8.12023-10-13
A insufficient session expiration in Fortinet FortiEDR version 5.0.0 through 5.0.1 allows attacker to execute unauthorized code or commands via api request
- CVE-2023-35857CRITICALCVSS 9.8EG 9.82023-06-19
In Siren Investigate before 13.2.2, session keys remain active even after logging out.
- CVE-2023-36252HIGHCVSS 8.8EG 8.82023-06-26
An issue in Ateme Flamingo XL v.3.6.20 and XS v.3.6.5 allows a remote authenticated attacker to execute arbitrary code and cause a denial of service via a the session expiration function.
Map vulnerabilities like CWE-613 to your infrastructure
EchelonGraph correlates every CVE — across CWE-613 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →