Common Weakness Enumeration

CWE-613

Allowed-with-Review

Insufficient Session Expiration

Abstraction: Base · Status: Incomplete

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

876 vulnerabilities reference this CWE, most recent first.

GHSA-MXH5-F83R-VF79

Vulnerability from github – Published: 2025-09-17 18:31 – Updated: 2025-09-17 18:31
VLAI
Details

CISA Thorium does not properly invalidate previously used tokens when resetting passwords. An attacker that possesses a previously used token could still log in after a password reset. Fixed in 1.1.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-35433"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-17T17:15:43Z",
    "severity": "LOW"
  },
  "details": "CISA Thorium does not properly invalidate previously used tokens when resetting passwords. An attacker that possesses a previously used token could still log in after a password reset. Fixed in 1.1.1.",
  "id": "GHSA-mxh5-f83r-vf79",
  "modified": "2025-09-17T18:31:18Z",
  "published": "2025-09-17T18:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-35433"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cisagov/thorium/commit/7c94a0b9bc2dc55e0c307360452f348bac06820c#diff-57a8b13962b268bcc3690df0f6c0d6ddeca7cbc7b05c3c20903cb07e659330eaR844-R849"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cisagov/thorium/releases/tag/1.1.1"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-259-01.json"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-35433"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-P38C-8PG2-FQX5

Vulnerability from github – Published: 2024-07-30 18:32 – Updated: 2024-07-30 18:32
VLAI
Details

IBM Aspera Orchestrator 4.0.1 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 248477.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-26288"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-30T17:15:11Z",
    "severity": "MODERATE"
  },
  "details": "IBM Aspera Orchestrator 4.0.1 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system.  IBM X-Force ID:  248477.",
  "id": "GHSA-p38c-8pg2-fqx5",
  "modified": "2024-07-30T18:32:06Z",
  "published": "2024-07-30T18:32:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26288"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/248477"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7161538"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P437-2C77-84P4

Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-05-24 22:28
VLAI
Details

In ArangoDB, versions v3.7.6 through v3.8.3 are vulnerable to Insufficient Session Expiration. When a user’s password is changed by the administrator, the session isn’t invalidated, allowing a malicious user to still be logged in and perform arbitrary actions within the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25940"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-16T10:15:00Z",
    "severity": "HIGH"
  },
  "details": "In ArangoDB, versions v3.7.6 through v3.8.3 are vulnerable to Insufficient Session Expiration. When a user\u2019s password is changed by the administrator, the session isn\u2019t invalidated, allowing a malicious user to still be logged in and perform arbitrary actions within the system.",
  "id": "GHSA-p437-2c77-84p4",
  "modified": "2022-05-24T22:28:49Z",
  "published": "2022-05-24T22:28:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25940"
    },
    {
      "type": "WEB",
      "url": "https://github.com/arangodb/arangodb/commit/e9c6ee9dcca7b9b4fbcd02a0b323d205bee838d3"
    },
    {
      "type": "WEB",
      "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25940"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-P45M-MV49-39FW

Vulnerability from github – Published: 2023-02-11 03:32 – Updated: 2023-02-21 18:30
VLAI
Details

SupportAssist for Home PCs (versions 3.11.4 and prior) contain an insufficient session expiration Vulnerability. An authenticated non-admin user can be able to obtain the refresh token and that leads to reuse the access token and fetch sensitive information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34392"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-11T01:23:00Z",
    "severity": "MODERATE"
  },
  "details": "SupportAssist for Home PCs (versions 3.11.4 and prior) contain an insufficient session expiration Vulnerability. An authenticated non-admin user can be able to obtain the refresh token and that leads to reuse the access token and fetch sensitive information.",
  "id": "GHSA-p45m-mv49-39fw",
  "modified": "2023-02-21T18:30:24Z",
  "published": "2023-02-11T03:32:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34392"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/000204114"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P523-JRPH-QJC6

Vulnerability from github – Published: 2022-01-06 23:49 – Updated: 2022-01-06 20:17
VLAI
Summary
Insufficient Session Expiration in shopware
Details

Impact

Automatically invalidate sessions upon password change

Patches

We recommend updating to the current version 5.7.7. You can get the update to 5.7.7 regularly via the Auto-Updater or directly via the download overview.

For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html

References

https://docs.shopware.com/en/shopware-5-en/securityupdates/security-update-01-2022

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "shopware/shopware"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.7.3"
            },
            {
              "fixed": "5.7.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21652"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-06T20:17:22Z",
    "nvd_published_at": "2022-01-05T20:15:00Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nAutomatically invalidate sessions upon password change\n\n### Patches\n\nWe recommend updating to the current version 5.7.7. You can get the update to 5.7.7 regularly via the Auto-Updater or directly via the download overview.\n\nFor older versions you can use the Security Plugin:\nhttps://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html\n\n### References\n\nhttps://docs.shopware.com/en/shopware-5-en/securityupdates/security-update-01-2022\n",
  "id": "GHSA-p523-jrph-qjc6",
  "modified": "2022-01-06T20:17:22Z",
  "published": "2022-01-06T23:49:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/shopware/shopware/security/advisories/GHSA-p523-jrph-qjc6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21652"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shopware/shopware/commit/47ebd126a94f4b019b6fde64c0df3d18d74ef7d0"
    },
    {
      "type": "WEB",
      "url": "https://docs.shopware.com/en/shopware-5-en/securityupdates/security-update-01-2022"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/shopware/shopware"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insufficient Session Expiration in shopware"
}

GHSA-P594-WH4R-V877

Vulnerability from github – Published: 2024-03-14 15:34 – Updated: 2024-03-14 15:34
VLAI
Details

Insufficient session timeout vulnerability in the FAST3686 V2 Vodafone router from Sagemcom. This vulnerability could allow a local attacker to access the administration panel without requiring login credentials. This vulnerability is possible because the 'Login.asp and logout.asp' files do not handle session details correctly.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-1623"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-14T13:15:53Z",
    "severity": "HIGH"
  },
  "details": "Insufficient session timeout vulnerability in the FAST3686 V2 Vodafone router from Sagemcom. This vulnerability could allow a local attacker to access the administration panel without requiring login credentials. This vulnerability is possible because the \u0027Login.asp and logout.asp\u0027 files do not handle session details correctly.",
  "id": "GHSA-p594-wh4r-v877",
  "modified": "2024-03-14T15:34:06Z",
  "published": "2024-03-14T15:34:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1623"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/insufficient-session-timeout-vulnerability-sagemcom-router"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P68J-Q8J9-JWF5

Vulnerability from github – Published: 2026-06-13 00:34 – Updated: 2026-06-13 00:34
VLAI
Details

OpenClaw before 2026.4.22 contains a webhook secret revocation bypass vulnerability allowing callers with old Slack and Zalo webhook secrets to remain active after secrets.reload. Attackers can exploit the stale-secret window to deliver webhook events after operator-expected secret revocation, potentially accepting previous credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-53830"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-12T22:16:54Z",
    "severity": "MODERATE"
  },
  "details": "OpenClaw before 2026.4.22 contains a webhook secret revocation bypass vulnerability allowing callers with old Slack and Zalo webhook secrets to remain active after secrets.reload. Attackers can exploit the stale-secret window to deliver webhook events after operator-expected secret revocation, potentially accepting previous credentials.",
  "id": "GHSA-p68j-q8j9-jwf5",
  "modified": "2026-06-13T00:34:32Z",
  "published": "2026-06-13T00:34:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-275c-xpvc-jgfw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53830"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-webhook-secret-revocation-bypass-via-secrets-reload"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-P7MX-FRQJ-J9HQ

Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36
VLAI
Details

Exploitation of session variables, resource IDs and other trusted credentials vulnerability in the web interface in McAfee Network Security Management (NSM) before 8.2.7.42.2 allows remote attackers to exploit or harm a user's browser via reusing the exposed session token in the application URL.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-3966"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-04T13:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Exploitation of session variables, resource IDs and other trusted credentials vulnerability in the web interface in McAfee Network Security Management (NSM) before 8.2.7.42.2 allows remote attackers to exploit or harm a user\u0027s browser via reusing the exposed session token in the application URL.",
  "id": "GHSA-p7mx-frqj-j9hq",
  "modified": "2022-05-13T01:36:40Z",
  "published": "2022-05-13T01:36:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3966"
    },
    {
      "type": "WEB",
      "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10192"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PC62-V6R5-973X

Vulnerability from github – Published: 2025-12-31 00:31 – Updated: 2025-12-31 00:31
VLAI
Details

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain an insufficient session expiration vulnerability that allows attackers to reuse old session credentials. Attackers can exploit weak session management to potentially hijack active user sessions and gain unauthorized access to the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50692"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-30T23:15:44Z",
    "severity": "MODERATE"
  },
  "details": "SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain an insufficient session expiration vulnerability that allows attackers to reuse old session credentials. Attackers can exploit weak session management to potentially hijack active user sessions and gain unauthorized access to the application.",
  "id": "GHSA-pc62-v6r5-973x",
  "modified": "2025-12-31T00:31:10Z",
  "published": "2025-12-31T00:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50692"
    },
    {
      "type": "WEB",
      "url": "https://cxsecurity.com/issue/WLB-2022120030"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/247956"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/files/170251/SOUND4-IMPACT-FIRST-PULSE-Eco-2.x-Insufficient-Session-Expiration.html"
    },
    {
      "type": "WEB",
      "url": "https://www.sound4.com"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/sound-impactfirstpulseeco-x-insufficient-session-expiration-vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5724.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-PF92-7X8P-6X5M

Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-05-24 17:44
VLAI
Details

A vulnerability was found in the Quay web application. Sessions in the Quay web application never expire. An attacker, able to gain access to a session, could use it to control or delete a user's container repository. Red Hat Quay 2 and 3 are vulnerable to this issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-3867"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-18T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in the Quay web application. Sessions in the Quay web application never expire. An attacker, able to gain access to a session, could use it to control or delete a user\u0027s container repository. Red Hat Quay 2 and 3 are vulnerable to this issue.",
  "id": "GHSA-pf92-7x8p-6x5m",
  "modified": "2022-05-24T17:44:46Z",
  "published": "2022-05-24T17:44:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3867"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1772704"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Implementation

Set sessions/credentials expiration date.

No CAPEC attack patterns related to this CWE.