CWE-613— Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."— MITRE CWE catalog
531 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-613page 7 of 11
- CVE-2024-22351MEDIUMCVSS 6.3EG 6.32025-04-23
IBM InfoSphere Information 11.7 Server does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.
- CVE-2024-22358MEDIUMCVSS 6.3EG 6.32024-04-12
IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.20, 7.1 through 7.1.2.16, 7.2 through 7.2.3.9, 7.3 through 7.3.2.4 and IBM DevOps Deploy 8.0 through 8.0.0.1 does not invalidate session after logout which could allow an authenticated user to …
- CVE-2024-22389HIGHCVSS 7.2EG 7.22024-02-14
When BIG-IP is deployed in high availability (HA) and an iControl REST API token is updated, the change does not sync to the peer device. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
- CVE-2024-22403LOWCVSS 3.0EG 3.02024-01-18
Nextcloud server is a self hosted personal cloud system. In affected versions OAuth codes did not expire. When an attacker would get access to an authorization code they could authenticate at any time using the code. As of version 28.0.0 O…
- CVE-2024-22543MEDIUMCVSS 6.1EG 6.12024-02-27
An issue was discovered in Linksys Router E1700 1.0.04 (build 3), allows authenticated attackers to escalate privileges via a crafted GET request to the /goform/* URI or via the ExportSettings function.
- CVE-2024-23586MEDIUMCVSS 5.3EG 5.32024-09-27
HCL Nomad is susceptible to an insufficient session expiration vulnerability. Under certain circumstances, an unauthenticated attacker could obtain old session information.
- CVE-2024-25051MEDIUMCVSS 6.6EG 6.62025-04-02
IBM Jazz Reporting Service 7.0.2 and 7.0.3 does not invalidate session after logout which could allow an authenticated privileged user to impersonate another user on the system.
- CVE-2024-25619LOWCVSS 3.1EG 3.12024-02-14
Mastodon is a free, open-source social network server based on ActivityPub. When an OAuth Application is destroyed, the streaming server wasn't being informed that the Access Tokens had also been destroyed, this could have posed security r…
- CVE-2024-25628HIGHCVSS 7.6EG 7.62024-02-16
Alf.io is a free and open source event attendance management system. In versions prior to 2.0-M4-2402 users can access the admin area even after being invalidated/deleted. This issue has been addressed in version 2.0-M4-2402. All users are…
- CVE-2024-25718CRITICALCVSS 9.8EG 9.82024-02-11
In the Samly package before 1.4.0 for Elixir, Samly.State.Store.get_assertion/3 can return an expired session, which interferes with access control because Samly.AuthHandler uses a cached session and does not replace it, even after expiry.
- CVE-2024-25954MEDIUMCVSS 5.3EG 5.32024-03-28
Dell PowerScale OneFS, versions 9.5.0.x through 9.7.0.x, contain an insufficient session expiration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service.
- CVE-2024-27455CRITICALCVSS 9.1EG 9.12024-02-26
In the Bentley ALIM Web application, certain configuration settings can cause exposure of a user's ALIM session token when the user attempts to download files. This is fixed in Assetwise ALIM Web 23.00.04.04 and Assetwise Information Integ…
- CVE-2024-27779MEDIUMCVSS 6.7EG 6.72025-07-18
An insufficient session expiration vulnerability [CWE-613] in FortiSandbox FortiSandbox version 4.4.4 and below, version 4.2.6 and below, 4.0 all versions, 3.2 all versions and FortiIsolator version 2.4 and below, 2.3 all versions, 2.2 all…
- CVE-2024-27782HIGHCVSS 8.1EG 8.12024-07-09
Multiple insufficient session expiration weaknesses [CWE-613] vulnerability in Fortinet FortiAIOps 2.0.0 may allow an attacker to re-use stolen old session tokens to perform unauthorized operations via crafted requests.
- CVE-2024-29070CRITICALCVSS 9.1EG 9.12024-07-23
On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns "Authorization" as the front-end authentication credential. "Authorization" can still initiate requests a…
- CVE-2024-29401CRITICALCVSS 9.8EG 9.82024-03-26
xzs-mysql 3.8 is vulnerable to Insufficient Session Expiration, which allows attackers to use the session of a deleted admin to do anything.
- CVE-2024-29402MEDIUMCVSS 4.3EG 4.32024-04-16
cskefu v7 suffers from Insufficient Session Expiration, which allows attackers to exploit the old session for malicious activity.
- CVE-2024-30262MEDIUMCVSS 5.9EG 5.92024-04-09
Contao is an open source content management system. Prior to version 4.13.40, when a frontend member changes their password in the personal data or the password lost module, the corresponding remember-me tokens are not removed. If someone …
- CVE-2024-31447MEDIUMCVSS 5.3EG 5.32024-04-08
Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Starting in version 6.3.5.0 and prior to versions 6.6.1.0 and 6.5.8.8, when a authenticated request is made to `POST /store-api/account/logout`, the cart will be c…
- CVE-2024-31995MEDIUMCVSS 4.3EG 4.32024-04-10
`@digitalbazaar/zcap` provides JavaScript reference implementation for Authorization Capabilities. Prior to version 9.0.1, when invoking a capability with a chain depth of 2, i.e., it is delegated directly from the root capability, the `ex…
- CVE-2024-31999HIGHCVSS 7.4EG 7.42024-04-10
@festify/secure-session creates a secure stateless cookie session for Fastify. At the end of the request handling, it will encrypt all data in the session with a secret key and attach the ciphertext as a cookie value with the defined cooki…
- CVE-2024-32006MEDIUMCVSS 4.3EG 4.32024-09-10
A vulnerability has been identified in SINEMA Remote Connect Client (All versions < V3.2 SP2). The affected application does not expire the user session on reboot without logout. This could allow an attacker to bypass Multi-Factor Authenti…
- CVE-2024-33507HIGHCVSS 7.4EG 7.42025-10-14
An insufficient session expiration vulnerability [CWE-613] and an incorrect authorization vulnerability [CWE-863] in FortiIsolator 2.4.0 through 2.4.4, 2.3 all versions, 2.2.0, 2.1 all versions, 2.0 all versions authentication mechanism ma…
- CVE-2024-34092HIGHCVSS 8.8EG 8.82024-05-06
An issue was discovered in Archer Platform 6 before 2024.04. Authentication was mishandled because lock did not terminate an existing session. 6.14 P3 (6.14.0.3) is also a fixed release.
- CVE-2024-34709MEDIUMCVSS 5.4EG 5.42024-05-14
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.0, session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The `directus_session` gets dest…
- CVE-2024-35048MEDIUMCVSS 4.3EG 4.32024-05-14
An issue in SurveyKing v1.3.1 allows attackers to execute a session replay attack after a user changes their password.
- CVE-2024-35049CRITICALCVSS 9.1EG 9.12024-05-14
SurveyKing v1.3.1 was discovered to keep users' sessions active after logout. Related to an incomplete fix for CVE-2022-25590.
- CVE-2024-35050HIGHCVSS 8.8EG 8.82024-05-14
An issue in SurveyKing v1.3.1 allows attackers to escalate privileges via re-using the session ID of a user that was deleted by an Admin.
- CVE-2024-35160MEDIUMCVSS 4.3EG 4.32024-11-23
IBM Watson Query on Cloud Pak for Data 1.8, 2.0, 2.1, 2.2 and IBM Db2 Big SQL on Cloud Pak for Data 7.3, 7.4, 7.5, and 7.6 could allow an authenticated user to obtain sensitive information due to insufficient session expiration.
- CVE-2024-35206HIGHCVSS 7.7EG 7.82024-06-11
A vulnerability has been identified in SINEC Traffic Analyzer (6GK8822-1BG01-0BA0) (All versions < V1.2). The affected application does not expire the session. This could allow an attacker to get unauthorized access.
- CVE-2024-35220HIGHCVSS 7.4EG 7.42024-05-21
@fastify/session is a session plugin for fastify. Requires the @fastify/cookie plugin. When restoring the cookie from the session store, the `expires` field is overriden if the `maxAge` field was set. This means a cookie is never correctly…
- CVE-2024-36041HIGHCVSS 7.8EG 7.82024-07-05
KSmserver in KDE Plasma Workspace (aka plasma-workspace) before 5.27.11.1 and 6.x before 6.0.5.1 allows connections via ICE based purely on the host, i.e., all local connections are accepted. This allows another user on the same machine to…
- CVE-2024-36523MEDIUMCVSS 6.5EG 6.52024-06-12
An access control issue in Wvp GB28181 Pro 2.0 allows users to continue to access information in the application after deleting their own or administrator accounts. This is provided that the users do not log out of their deleted accounts.
- CVE-2024-38315MEDIUMCVSS 6.3EG 6.32024-09-16
IBM Aspera Shares 1.0 through 1.10.0 PL3 does not invalidate session after a password reset which could allow an authenticated user to impersonate another user on the system.
- CVE-2024-39809HIGHCVSS 7.5EG 7.52024-08-14
The Central Manager user session refresh token does not expire when a user logs out. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
- CVE-2024-41827HIGHCVSS 7.4EG 7.42024-07-22
In JetBrains TeamCity before 2024.07 access tokens could continue working after deletion or expiration
- CVE-2024-41985LOWCVSS 2.6EG 2.62025-08-12
A vulnerability has been identified in SmartClient modules Opcenter QL Home (SC) (All versions >= V13.2 < V2506), SOA Audit (All versions >= V13.2 < V2506), SOA Cockpit (All versions >= V13.2 < V2506). The affected application does not exp…
- CVE-2024-42447CRITICALCVSS 9.8EG 9.82024-08-05
Insufficient Session Expiration vulnerability in Apache Airflow Providers FAB. This issue affects Apache Airflow Providers FAB: 1.2.1 (when used with Apache Airflow 2.9.3) and FAB 1.2.0 for all Airflow versions. The FAB provider prevented…
- CVE-2024-43181MEDIUMCVSS 6.3EG 6.32026-02-04
IBM Concert 1.0.0 through 2.1.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.
- CVE-2024-43685CRITICALCVSS 9.8EG 9.82024-10-04
Improper Authentication vulnerability in Microchip TimeProvider 4100 (login modules) allows Session Hijacking.This issue affects TimeProvider 4100: from 1.0 before 2.4.7.
- CVE-2024-45033HIGHCVSS 8.1EG 8.12025-01-08
Insufficient Session Expiration vulnerability in Apache Airflow Fab Provider. This issue affects Apache Airflow Fab Provider: before 1.5.2. When user password has been changed with admin CLI, the sessions for that user have not been clea…
- CVE-2024-45187HIGHCVSS 7.1EG 7.12024-08-23
Guest users in the Mage AI framework that remain logged in after their accounts are deleted, are mistakenly given high privileges and specifically given access to remotely execute arbitrary code through the Mage AI terminal server
- CVE-2024-45386HIGHCVSS 8.8EG 8.82025-02-11
A vulnerability has been identified in SIMATIC PCS neo V4.0 (All versions), SIMATIC PCS neo V4.1 (All versions < V4.1 Update 2), SIMATIC PCS neo V5.0 (All versions < V5.0 Update 1), SIMOCODE ES V19 (All versions < V19 Update 1), SIRIUS Saf…
- CVE-2024-45462MEDIUMCVSS 6.3EG 6.32024-10-16
The logout operation in the CloudStack web interface does not expire the user session completely which is valid until expiry by time or restart of the backend service. An attacker that has access to a user's browser can use an unexpired se…
- CVE-2024-45651MEDIUMCVSS 6.3EG 6.32025-04-18
IBM Sterling Connect:Direct Web Services 6.1.0, 6.2.0, and 6.3.0 does not invalidate session after a browser closure which could allow an authenticated user to impersonate another user on the system.
- CVE-2024-46040MEDIUMCVSS 6.5EG 6.52024-10-07
IoT Haat Smart Plug IH-IN-16A-S IH-IN-16A-S v5.16.1 suffers from Insufficient Session Expiration. The lack of validation of the authentication token at the IoT Haat during the Access Point Pairing mode leads the attacker to replay the Wi-F…
- CVE-2024-4680HIGHCVSS 8.8EG 3.92024-06-08
A vulnerability in zenml-io/zenml version 0.56.3 allows attackers to reuse old session credentials or session IDs due to insufficient session expiration. Specifically, the session does not expire after a password change, enabling an attack…
- CVE-2024-46892MEDIUMCVSS 4.9EG 4.92024-11-12
A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). The affected application does not properly invalidate sessions when the associated user is deleted or disabled or their permissions are modified. This cou…
- CVE-2024-48827HIGHCVSS 8.8EG 8.82024-10-11
An issue in sbondCo Watcharr v.1.43.0 allows a remote attacker to execute arbitrary code and escalate privileges via the Change Password function.
- CVE-2024-48926MEDIUMCVSS 4.2EG 4.22024-10-22
Umbraco, a free and open source .NET content management system, has an insufficient session expiration issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. The Backoffice displays the logout…
Map vulnerabilities like CWE-613 to your infrastructure
EchelonGraph correlates every CVE — across CWE-613 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →