CWE-613
Allowed-with-ReviewInsufficient Session Expiration
Abstraction: Base · Status: Incomplete
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
876 vulnerabilities reference this CWE, most recent first.
GHSA-9P5P-94M7-4MP9
Vulnerability from github – Published: 2024-09-18 12:31 – Updated: 2024-09-18 12:31An attacker with access to the network where CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could steal the tokens used on the web, since these have no expiration date to access the web application without restrictions. Token theft can originate from different methods such as network captures, locally stored web information, etc.
{
"affected": [],
"aliases": [
"CVE-2024-8888"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-18T12:15:03Z",
"severity": "CRITICAL"
},
"details": "An attacker with access to the network where CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could steal the tokens used on the web, since these have no expiration date to access the web application without restrictions. Token theft can originate from different methods such as network captures, locally stored web information, etc.",
"id": "GHSA-9p5p-94m7-4mp9",
"modified": "2024-09-18T12:31:32Z",
"published": "2024-09-18T12:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8888"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9Q24-C9H6-H244
Vulnerability from github – Published: 2025-01-09 21:31 – Updated: 2025-01-10 18:31Insufficient Session Expiration vulnerability in Drupal Persistent Login allows Forceful Browsing.This issue affects Persistent Login: from 0.0.0 before 1.8.0, from 2.0.* before 2.2.2.
{
"affected": [],
"aliases": [
"CVE-2024-13280"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-09T20:15:36Z",
"severity": "CRITICAL"
},
"details": "Insufficient Session Expiration vulnerability in Drupal Persistent Login allows Forceful Browsing.This issue affects Persistent Login: from 0.0.0 before 1.8.0, from 2.0.* before 2.2.2.",
"id": "GHSA-9q24-c9h6-h244",
"modified": "2025-01-10T18:31:40Z",
"published": "2025-01-09T21:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13280"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2024-044"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9Q4H-7J59-Q25X
Vulnerability from github – Published: 2024-10-11 18:32 – Updated: 2024-10-12 00:30An issue in sbondCo Watcharr v.1.43.0 allows a remote attacker to execute arbitrary code and escalate privileges via the Change Password function.
{
"affected": [],
"aliases": [
"CVE-2024-48827"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-11T16:15:13Z",
"severity": "HIGH"
},
"details": "An issue in sbondCo Watcharr v.1.43.0 allows a remote attacker to execute arbitrary code and escalate privileges via the Change Password function.",
"id": "GHSA-9q4h-7j59-q25x",
"modified": "2024-10-12T00:30:47Z",
"published": "2024-10-11T18:32:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48827"
},
{
"type": "WEB",
"url": "https://github.com/sbondCo/Watcharr"
},
{
"type": "WEB",
"url": "https://github.com/sbondCo/Watcharr/releases/tag/v1.43.0"
},
{
"type": "WEB",
"url": "https://github.com/yamerooo123/CVE/blob/main/CVE-2024-48827/Description.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9Q94-V7CH-MXQW
Vulnerability from github – Published: 2021-08-02 17:35 – Updated: 2021-05-25 20:12This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of OPC Foundation UA .NET Standard 1.04.358.30. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of sessions. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to create a denial-of-service condition against the application. Was ZDI-CAN-10295.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.4.358.30"
},
"package": {
"ecosystem": "NuGet",
"name": "OPCFoundation.NetStandard.Opc.Ua"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.359.31"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-8867"
],
"database_specific": {
"cwe_ids": [
"CWE-367",
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-25T20:12:12Z",
"nvd_published_at": "2020-04-22T21:15:00Z",
"severity": "MODERATE"
},
"details": "This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of OPC Foundation UA .NET Standard 1.04.358.30. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of sessions. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to create a denial-of-service condition against the application. Was ZDI-CAN-10295.",
"id": "GHSA-9q94-v7ch-mxqw",
"modified": "2021-05-25T20:12:12Z",
"published": "2021-08-02T17:35:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8867"
},
{
"type": "WEB",
"url": "https://github.com/OPCFoundation/UA-.NETStandard/releases/tag/1.4.359.31"
},
{
"type": "WEB",
"url": "https://opcfoundation.org/SecurityBulletins/OPC%20Foundation%20Security%20Bulletin%20CVE-2020-8867.pdf"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-536"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Insufficient Session Expiration and TOCTOU Race Condition in OPC FOundation UA .Net Standard"
}
GHSA-9R58-7QGH-QJQ2
Vulnerability from github – Published: 2025-04-14 15:31 – Updated: 2025-04-14 15:31IBM Robotic Process Automation and Robotic Process Automation for Cloud Pak 21.0.0 through 21.0.7.20 and 23.0.0 through 23.0.20 does not invalidate session after a logout which could allow an authenticated user to impersonate another user on the system.
{
"affected": [],
"aliases": [
"CVE-2024-49825"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-14T15:15:23Z",
"severity": "MODERATE"
},
"details": "IBM Robotic Process Automation and Robotic Process Automation for Cloud Pak 21.0.0 through 21.0.7.20 and 23.0.0 through 23.0.20 does not invalidate session after a logout which could allow an authenticated user to impersonate another user on the system.",
"id": "GHSA-9r58-7qgh-qjq2",
"modified": "2025-04-14T15:31:59Z",
"published": "2025-04-14T15:31:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49825"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7230848"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-9RFX-MM7M-3CG2
Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-05-24 19:16Laravel Booking System Booking Core 2.0 is vulnerable to Session Management. A password change at sandbox.bookingcore.org/user/profile/change-password does not invalidate a session that is opened in a different browser.
{
"affected": [],
"aliases": [
"CVE-2021-37333"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-04T14:15:00Z",
"severity": "CRITICAL"
},
"details": "Laravel Booking System Booking Core 2.0 is vulnerable to Session Management. A password change at sandbox.bookingcore.org/user/profile/change-password does not invalidate a session that is opened in a different browser.",
"id": "GHSA-9rfx-mm7m-3cg2",
"modified": "2022-05-24T19:16:29Z",
"published": "2022-05-24T19:16:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37333"
},
{
"type": "WEB",
"url": "https://www.navidkagalwalla.com/booking-core-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-9RPJ-R444-XVP8
Vulnerability from github – Published: 2023-08-08 09:30 – Updated: 2024-04-04 06:37This vulnerability exists in ESDS Emagic Data Center Management Suit due to non-expiry of session cookie. By reusing the stolen cookie, a remote attacker could gain unauthorized access to the targeted system.
{
"affected": [],
"aliases": [
"CVE-2023-37570"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-08T09:15:10Z",
"severity": "HIGH"
},
"details": "This vulnerability exists in ESDS Emagic Data Center Management Suit due to non-expiry of session cookie. \nBy reusing the stolen cookie, a remote attacker could gain unauthorized access to the targeted system.\n",
"id": "GHSA-9rpj-r444-xvp8",
"modified": "2024-04-04T06:37:47Z",
"published": "2023-08-08T09:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37570"
},
{
"type": "WEB",
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2023-0226"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9V5V-3JHC-PFFJ
Vulnerability from github – Published: 2025-05-11 03:30 – Updated: 2026-05-27 15:32A vulnerability was found in Dígitro NGC Explorer up to 3.44.15 and classified as problematic. This issue affects some unknown processing. The manipulation leads to session expiration. The attack may be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-4528"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-11T03:15:24Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in D\u00edgitro NGC Explorer up to 3.44.15 and classified as problematic. This issue affects some unknown processing. The manipulation leads to session expiration. The attack may be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-9v5v-3jhc-pffj",
"modified": "2026-05-27T15:32:59Z",
"published": "2025-05-11T03:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4528"
},
{
"type": "WEB",
"url": "https://digitro.com/recomendacao-10-2026-ctir-gov"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.308273"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.308273"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.565309"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/565309"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/308273"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/308273/cti"
},
{
"type": "WEB",
"url": "https://www.gov.br/ctir/pt-br/assuntos/alertas-e-recomendacoes/recomendacoes/2026/recomendacao-10-2026"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9WWP-Q7WQ-JX35
Vulnerability from github – Published: 2024-04-10 17:15 – Updated: 2024-04-11 14:31Impact
At the end of the request handling, it will encrypt all data in the session with a secret key and attach the ciphertext as a cookie value with the defined cookie name. After that, the session on the server side is destroyed. When an encrypted cookie with matching session name is provided with subsequent requests, it will decrypt the ciphertext to get the data. The plugin then creates a new session with the data in the ciphertext. Thus theoretically the web instance is still accessing the data from a server-side session, but technically that session is generated solely from a user provided cookie (which is assumed to be non-craftable because it is encrypted with a secret key not known to the user).
The issue exists in the session removal process. In the delete function of the code, when the session is deleted, it is marked for deletion. However, if an attacker could gain access to the cookie, they could keep using it forever.
Patches
Fixed in 56d66642ecc633cff0606927601e81cdac361370. Update to v7.3.0.
Workarounds
Include a "last update" field in the session, and treat "old sessions" as expired. Make sure to configure your cookie as "http only".
References
- https://hackerone.com/reports/2374253
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@fastify/secure-session"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-31999"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-10T17:15:50Z",
"nvd_published_at": "2024-04-10T22:15:07Z",
"severity": "HIGH"
},
"details": "### Impact\n\nAt the end of the request handling, it will encrypt all data in the session with a secret key and attach the ciphertext as a cookie value with the defined cookie name. After that, the session on the server side is destroyed. When an encrypted cookie with matching session name is provided with subsequent requests, it will decrypt the ciphertext to get the data. The plugin then creates a new session with the data in the ciphertext. Thus theoretically the web instance is still accessing the data from a server-side session, but technically that session is generated solely from a user provided cookie (which is assumed to be non-craftable because it is encrypted with a secret key not known to the user).\n\nThe issue exists in the session removal process. In the delete function of the code, when the session is deleted, it is marked for deletion. However, if an attacker could gain access to the cookie, they could keep using it forever.\n\n### Patches\n\nFixed in 56d66642ecc633cff0606927601e81cdac361370.\nUpdate to v7.3.0.\n\n### Workarounds\n\nInclude a \"last update\" field in the session, and treat \"old sessions\" as expired. \nMake sure to configure your cookie as \"http only\".\n\n### References\n\n* https://hackerone.com/reports/2374253\n",
"id": "GHSA-9wwp-q7wq-jx35",
"modified": "2024-04-11T14:31:13Z",
"published": "2024-04-10T17:15:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fastify/fastify-secure-session/security/advisories/GHSA-9wwp-q7wq-jx35"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31999"
},
{
"type": "WEB",
"url": "https://github.com/fastify/fastify-secure-session/commit/56d66642ecc633cff0606927601e81cdac361370"
},
{
"type": "PACKAGE",
"url": "https://github.com/fastify/fastify-secure-session"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "@fastify/secure-session: Reuse of destroyed secure session cookie"
}
GHSA-C2HR-FWVR-RXJM
Vulnerability from github – Published: 2023-11-01 03:30 – Updated: 2023-11-01 03:30Insufficient Session Expiration in GitHub repository pkp/pkp-lib prior to 3.3.0-16.
{
"affected": [],
"aliases": [
"CVE-2023-5889"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-01T01:15:07Z",
"severity": "MODERATE"
},
"details": "Insufficient Session Expiration in GitHub repository pkp/pkp-lib prior to 3.3.0-16.",
"id": "GHSA-c2hr-fwvr-rxjm",
"modified": "2023-11-01T03:30:58Z",
"published": "2023-11-01T03:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5889"
},
{
"type": "WEB",
"url": "https://github.com/pkp/pkp-lib/commit/32d071ef2090fc336bc17d56a86d1dff90c26f0b"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/fba2991a-1b8a-4c89-9689-d708526928e1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.