CWE-613— Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."— MITRE CWE catalog
531 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-613page 6 of 11
- CVE-2023-37504HIGHCVSS 7.1EG 7.12023-10-19
HCL Compass is vulnerable to failure to invalidate sessions. The application does not invalidate authenticated sessions when the log out functionality is called. If the session identifier can be discovered, it could be replayed to the ap…
- CVE-2023-37570HIGHCVSS 7.2EG 7.22023-08-08
This vulnerability exists in ESDS Emagic Data Center Management Suit due to non-expiry of session cookie. By reusing the stolen cookie, a remote attacker could gain unauthorized access to the targeted system.
- CVE-2023-37919MEDIUMCVSS 6.5EG 6.52023-07-25
Cal.com is open-source scheduling software. A vulnerability allows active sessions associated with an account to remain active even after enabling 2FA. When activating 2FA on a Cal.com account that is logged in on two or more devices, the …
- CVE-2023-38489HIGHCVSS 7.3EG 7.32023-07-27
Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). It can only be a…
- CVE-2023-39695MEDIUMCVSS 5.3EG 5.32023-10-31
Insufficient session expiration in Elenos ETG150 FM Transmitter v3.12 allows attackers to arbitrarily change transmitter configuration and data after logging out.
- CVE-2023-40025MEDIUMCVSS 4.7EG 4.72023-08-23
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting from version 2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages e…
- CVE-2023-4005CRITICALCVSS 9.8EG 3.82023-07-31
Insufficient Session Expiration in GitHub repository fossbilling/fossbilling prior to 0.5.5.
- CVE-2023-40174MEDIUMCVSS 6.8EG 6.82023-08-18
Social media skeleton is an uncompleted/framework social media project implemented using a php, css ,javascript and html. Insufficient session expiration is a web application security vulnerability that occurs when a web application does n…
- CVE-2023-40178MEDIUMCVSS 5.3EG 5.32023-08-23
Node-SAML is a SAML library not dependent on any frameworks that runs in Node. The lack of checking of current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past the NotOnOrAfter. This could…
- CVE-2023-40537HIGHCVSS 8.1EG 8.12023-10-10
An authenticated user's session cookie may remain valid for a limited time after logging out from the BIG-IP Configuration utility on a multi-blade VIPRION platform. Note: Software versions which have reached End of Technical Support (…
- CVE-2023-40695MEDIUMCVSS 6.3EG 6.32024-05-03
IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 264938.
- CVE-2023-40732LOWCVSS 3.9EG 3.92023-09-12
A vulnerability has been identified in QMS Automotive (All versions < V12.39). The QMS.Mobile module of the affected application does not invalidate the session token on logout. This could allow an attacker to perform session hijacking att…
- CVE-2023-41041LOWCVSS 3.1EG 2.62023-08-30
Graylog is a free and open log management platform. In a multi-node Graylog cluster, after a user has explicitly logged out, a user session may still be used for API requests until it has reached its original expiry time. Each node maintai…
- CVE-2023-4126HIGHCVSS 8.8EG 8.82023-08-03
Insufficient Session Expiration in GitHub repository answerdev/answer prior to v1.1.0.
- CVE-2023-4190MEDIUMCVSS 6.5EG 6.52023-08-06
Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.2.11.
- CVE-2023-42768HIGHCVSS 7.2EG 7.22023-10-10
When a non-admin user has been assigned an administrator role via an iControl REST PUT request and later the user's role is reverted back to a non-admin role via the Configuration utility, tmsh, or iControl REST. BIG-IP non-admin user can…
- CVE-2023-4320HIGHCVSS 7.5EG 7.52023-12-18
An arithmetic overflow flaw was found in Satellite when creating a new personal access token. This flaw allows an attacker who uses this arithmetic overflow to create personal access tokens that are valid indefinitely, resulting in damage …
- CVE-2023-45187MEDIUMCVSS 6.3EG 6.32024-02-09
IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 268749.
- CVE-2023-45600MEDIUMCVSS 5.6EG 5.62024-03-05
A CWE-613 “Insufficient Session Expiration” vulnerability in the web application, due to the session cookie “sessionid” lasting two weeks, facilitates session hijacking attacks against victims. This issue affects: AiLux imx6 bundle…
- CVE-2023-45659LOWCVSS 2.8EG 3.62023-10-17
Engelsystem is a shift planning system for chaos events. If a users' password is compromised and an attacker gained access to a users' account, i.e., logged in and obtained a session, an attackers' session is not terminated if the users' …
- CVE-2023-45718LOWCVSS 3.9EG 3.92024-02-09
Sametime is impacted by a failure to invalidate sessions. The application is setting sensitive cookie values in a persistent manner in Sametime Web clients. When this happens, cookie values can remain valid even after a user has closed ou…
- CVE-2023-46158CRITICALCVSS 9.8EG 4.92023-10-25
IBM WebSphere Application Server Liberty 23.0.0.9 through 23.0.0.10 could provide weaker than expected security due to improper resource expiration handling. IBM X-Force ID: 268775.
- CVE-2023-46326HIGHCVSS 8.8EG 8.82023-11-30
ZStack Cloud version 3.10.38 and before allows unauthenticated API access to the list of active job UUIDs and the session ID for each of these. This leads to privilege escalation.
- CVE-2023-47628MEDIUMCVSS 4.8EG 4.22023-11-14
DataHub is an open-source metadata platform. DataHub Frontend's sessions are configured using Play Framework's default settings for stateless session which do not set an expiration time for a cookie. Due to this, if a session cookie were e…
- CVE-2023-49091CRITICALCVSS 9.8EG 8.82023-11-29
Cosmos provides users the ability self-host a home server by acting as a secure gateway to your application, as well as a server manager. Cosmos-server is vulnerable due to to the authorization header used for user login remaining valid an…
- CVE-2023-49881MEDIUMCVSS 6.3EG 6.32025-10-01
IBM Transformation Extender Advanced 10.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.
- CVE-2023-49935HIGHCVSS 8.8EG 8.82023-12-14
An issue was discovered in SchedMD Slurm 23.02.x and 23.11.x. There is Incorrect Access Control because of a slurmd Message Integrity Bypass. An attacker can reuse root-level authentication tokens during interaction with the slurmd process…
- CVE-2023-50270MEDIUMCVSS 6.5EG 6.52024-02-20
Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change. Users are recommended to upgrade to version 3.2.1, which fixes this issue.
- CVE-2023-50936MEDIUMCVSS 6.3EG 6.32024-02-02
IBM PowerSC 1.3, 2.0, and 2.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 275116.
- CVE-2023-51772HIGHCVSS 8.8EG 8.82023-12-25
One Identity Password Manager before 5.13.1 allows Kiosk Escape. This product enables users to reset their Active Directory passwords on the login screen of a Windows client. It launches a Chromium based browser in Kiosk mode to provide th…
- CVE-2023-5838CRITICALCVSS 9.8EG 4.12023-10-29
Insufficient Session Expiration in GitHub repository linkstackorg/linkstack prior to v4.2.9.
- CVE-2023-5865CRITICALCVSS 9.8EG 9.82023-10-31
Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2.
- CVE-2023-5889HIGHCVSS 8.2EG 4.32023-11-01
Insufficient Session Expiration in GitHub repository pkp/pkp-lib prior to 3.3.0-16.
- CVE-2024-0008MEDIUMCVSS 6.6EG 6.62024-02-14
Web sessions in the management interface in Palo Alto Networks PAN-OS software do not expire in certain situations, making it susceptible to unauthorized access.
- CVE-2024-0260HIGHCVSS 7.5EG 4.32024-01-07
A vulnerability, which was classified as problematic, was found in SourceCodester Engineers Online Portal 1.0. Affected is an unknown function of the file change_password_teacher.php of the component Password Change. The manipulation leads…
- CVE-2024-0350LOWCVSS 3.1EG 3.12024-01-09
A vulnerability was found in SourceCodester Engineers Online Portal 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to session expiration. The attack may be launched remot…
- CVE-2024-0942LOWCVSS 3.7EG 3.72024-01-26
A vulnerability was found in Totolink N200RE V5 9.3.5u.6255_B20211224. It has been classified as problematic. Affected is an unknown function of the file /cgi-bin/cstecgi.cgi. The manipulation leads to session expiration. It is possible to…
- CVE-2024-0943LOWCVSS 3.7EG 3.72024-01-26
A vulnerability was found in Totolink N350RT 9.3.5u.6255. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /cgi-bin/cstecgi.cgi. The manipulation leads to session expiration. The a…
- CVE-2024-0944LOWCVSS 3.7EG 3.72024-01-26
A vulnerability was found in Totolink T8 4.1.5cu.833_20220905. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /cgi-bin/cstecgi.cgi. The manipulation leads to session expiration. The attac…
- CVE-2024-11208LOWCVSS 3.7EG 3.72024-11-14
A vulnerability was found in Apereo CAS 6.6 and classified as problematic. Affected by this issue is some unknown functionality of the file /login?service. The manipulation leads to session expiration. The attack may be launched remotely. …
- CVE-2024-11627MEDIUMCVSS 6.8EG 6.82025-01-07
: Insufficient Session Expiration vulnerability in Progress Sitefinity allows : Session Fixation.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400…
- CVE-2024-11668MEDIUMCVSS 4.2EG 4.22024-11-26
An issue has been discovered in GitLab CE/EE affecting all versions from 16.11 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Long-lived connections could potentially bypass authentication controls, allowing unauthorized access…
- CVE-2024-12667LOWCVSS 3.7EG 3.72024-12-16
A vulnerability was found in InvoicePlane up to 1.6.1 and classified as problematic. Affected by this issue is some unknown functionality of the file /invoices/view. The manipulation leads to session expiration. The attack may be launched …
- CVE-2024-13280CRITICALCVSS 9.8EG 9.82025-01-09
Insufficient Session Expiration vulnerability in Drupal Persistent Login allows Forceful Browsing.This issue affects Persistent Login: from 0.0.0 before 1.8.0, from 2.0.* before 2.2.2.
- CVE-2024-13996CRITICALCVSS 9.8EG 9.82025-10-30
Nagios XI versions prior to 2024R1.1.3 did not invalidate all other active sessions for a user when that user's password was changed. As a result, any pre-existing sessions (including those potentially controlled by an attacker) remained…
- CVE-2024-1623HIGHCVSS 7.7EG 7.72024-03-14
Insufficient session timeout vulnerability in the FAST3686 V2 Vodafone router from Sagemcom. This vulnerability could allow a local attacker to access the administration panel without requiring login credentials. This vulnerability is poss…
- CVE-2024-1900MEDIUMCVSS 5.5EG 5.52024-03-05
Improper session management in the identity provider authentication flow in Devolutions Server 2023.3.14.0 and earlier allows an authenticated user via an identity provider to stay authenticated after his user is disabled or deleted in the…
- CVE-2024-20301MEDIUMCVSS 6.2EG 6.22024-03-06
A vulnerability in Cisco Duo Authentication for Windows Logon and RDP could allow an authenticated, physical attacker to bypass secondary authentication and access an affected Windows device. This vulnerability is due to a failure to i…
- CVE-2024-21492MEDIUMCVSS 4.8EG 4.82024-02-17
All versions of the package github.com/greenpau/caddy-security are vulnerable to Insufficient Session Expiration due to improper user session invalidation upon clicking the "Sign Out" button. User sessions remain valid even after requests …
- CVE-2024-21722MEDIUMCVSS 6.3EG 6.32024-02-29
The MFA management features did not properly terminate existing user sessions when a user's MFA methods have been modified.
Map vulnerabilities like CWE-613 to your infrastructure
EchelonGraph correlates every CVE — across CWE-613 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →