Common Weakness Enumeration

CWE-613

Allowed-with-Review

Insufficient Session Expiration

Abstraction: Base · Status: Incomplete

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

876 vulnerabilities reference this CWE, most recent first.

GHSA-R5HH-FV95-JJXP

Vulnerability from github – Published: 2024-02-09 03:33 – Updated: 2024-02-09 03:33
VLAI
Details

IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 268749.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-45187"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-09T01:15:08Z",
    "severity": "MODERATE"
  },
  "details": "IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.  IBM X-Force ID:  268749.",
  "id": "GHSA-r5hh-fv95-jjxp",
  "modified": "2024-02-09T03:33:10Z",
  "published": "2024-02-09T03:33:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45187"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/268749"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7116045"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R67G-69PQ-W76X

Vulnerability from github – Published: 2024-08-13 03:31 – Updated: 2024-08-13 03:31
VLAI
Details

IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Suite Software 1.10.12.0 through 1.10.23.0 does not invalidate session after logout which could allow another user to obtain sensitive information. IBM X-Force ID: 233672.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38382"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-13T02:15:04Z",
    "severity": "MODERATE"
  },
  "details": "IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Suite Software 1.10.12.0 through 1.10.23.0 does not invalidate session after logout which could allow another user to obtain sensitive information.  IBM X-Force ID:  233672.",
  "id": "GHSA-r67g-69pq-w76x",
  "modified": "2024-08-13T03:31:16Z",
  "published": "2024-08-13T03:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38382"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/233672"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7165286"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R6XP-85FR-87P6

Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-05-24 19:19
VLAI
Details

In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, the account associated with a web services token is vulnerable to being exploited and logged into, resulting in information disclosure (at a minimum) and often escalation of privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-40849"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-03T11:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, the account associated with a web services token is vulnerable to being exploited and logged into, resulting in information disclosure (at a minimum) and often escalation of privileges.",
  "id": "GHSA-r6xp-85fr-87p6",
  "modified": "2022-05-24T19:19:35Z",
  "published": "2022-05-24T19:19:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40849"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/mahara/+bug/1930469"
    },
    {
      "type": "WEB",
      "url": "https://mahara.org/interaction/forum/topic.php?id=8949"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-R76W-3WWQ-JV6V

Vulnerability from github – Published: 2023-03-07 00:30 – Updated: 2024-10-21 19:57
VLAI
Summary
Insufficient Session Expiration in pretix
Details

rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. The fixed versions are 4.15.1, 4.16.1, and 4.17.1.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pretix"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.17.0"
            },
            {
              "fixed": "4.17.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pretix"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.16.0"
            },
            {
              "fixed": "4.16.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pretix"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.15.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-27891"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-14T23:01:26Z",
    "nvd_published_at": "2023-03-06T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. The fixed versions are 4.15.1, 4.16.1, and 4.17.1.",
  "id": "GHSA-r76w-3wwq-jv6v",
  "modified": "2024-10-21T19:57:52Z",
  "published": "2023-03-07T00:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27891"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pretix/PYSEC-2023-42.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/thufschmitt/pretix-nix"
    },
    {
      "type": "WEB",
      "url": "https://pretix.eu/about/en/blog/20230306-release-4171"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Insufficient Session Expiration in pretix"
}

GHSA-R7CM-W9CH-CF3G

Vulnerability from github – Published: 2026-06-15 12:32 – Updated: 2026-06-15 12:32
VLAI
Details

A flaw was found in Ansible Lightspeed. This vulnerability, related to insufficient session expiration, allows a remote attacker to maintain persistent access to the Ansible Lightspeed instance. If an attacker exfiltrates a valid OAuth (Open Authorization) access token before a user logs out, they can continue to authenticate and access sensitive data. This is because the application fails to invalidate the token on the backend, leaving it valid until its natural expiration. This can lead to unauthorized read access to Ansible resources such as inventories, playbooks, and configuration data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-44188"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-15T10:16:28Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in Ansible Lightspeed. This vulnerability, related to insufficient session expiration, allows a remote attacker to maintain persistent access to the Ansible Lightspeed instance. If an attacker exfiltrates a valid OAuth (Open Authorization) access token before a user logs out, they can continue to authenticate and access sensitive data. This is because the application fails to invalidate the token on the backend, leaving it valid until its natural expiration. This can lead to unauthorized read access to Ansible resources such as inventories, playbooks, and configuration data.",
  "id": "GHSA-r7cm-w9ch-cf3g",
  "modified": "2026-06-15T12:32:44Z",
  "published": "2026-06-15T12:32:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44188"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:25928"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-44188"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466764"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R8PM-G6V2-5WGX

Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2022-05-24 19:17
VLAI
Details

The vulnerability can be described as a failure to invalidate user session upon password change. When running multiple active sessions in separate browser windows, it was observed a password or email address change could be changed without terminating the user session.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-35214"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-12T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The vulnerability can be described as a failure to invalidate user session upon password change. When running multiple active sessions in separate browser windows, it was observed a password or email address change could be changed without terminating the user session.",
  "id": "GHSA-r8pm-g6v2-5wgx",
  "modified": "2022-05-24T19:17:18Z",
  "published": "2022-05-24T19:17:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35214"
    },
    {
      "type": "WEB",
      "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35214"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-R926-QJG2-Q5JR

Vulnerability from github – Published: 2023-12-14 06:30 – Updated: 2025-11-04 21:30
VLAI
Details

An issue was discovered in SchedMD Slurm 23.02.x and 23.11.x. There is Incorrect Access Control because of a slurmd Message Integrity Bypass. An attacker can reuse root-level authentication tokens during interaction with the slurmd process. This bypasses the RPC message hashes that protect against undesired MUNGE credential reuse. The fixed versions are 23.02.7 and 23.11.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-49935"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-14T05:15:10Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in SchedMD Slurm 23.02.x and 23.11.x. There is Incorrect Access Control because of a slurmd Message Integrity Bypass. An attacker can reuse root-level authentication tokens during interaction with the slurmd process. This bypasses the RPC message hashes that protect against undesired MUNGE credential reuse. The fixed versions are 23.02.7 and 23.11.1.",
  "id": "GHSA-r926-qjg2-q5jr",
  "modified": "2025-11-04T21:30:52Z",
  "published": "2023-12-14T06:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49935"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FEDDYEE2WK7FHWBHKON3OZVQI56WSQ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AYQS3LFGC4HE4WCW4L3NAA2I6FRIWMNO"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/63FEDDYEE2WK7FHWBHKON3OZVQI56WSQ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AYQS3LFGC4HE4WCW4L3NAA2I6FRIWMNO"
    },
    {
      "type": "WEB",
      "url": "https://lists.schedmd.com/pipermail/slurm-announce/2023/000103.html"
    },
    {
      "type": "WEB",
      "url": "https://www.schedmd.com/security-archive.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R954-PFF6-J82V

Vulnerability from github – Published: 2025-01-02 18:30 – Updated: 2025-01-02 18:30
VLAI
Details

Missing session invalidation after user deletion. The following products are affected: Acronis Cyber Protect 16 (Windows) before build 39169.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-56413"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-02T16:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Missing session invalidation after user deletion. The following products are affected: Acronis Cyber Protect 16 (Windows) before build 39169.",
  "id": "GHSA-r954-pff6-j82v",
  "modified": "2025-01-02T18:30:36Z",
  "published": "2025-01-02T18:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56413"
    },
    {
      "type": "WEB",
      "url": "https://security-advisory.acronis.com/advisories/SEC-7612"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R989-7G3J-WJHW

Vulnerability from github – Published: 2026-06-17 14:07 – Updated: 2026-06-17 14:07
VLAI
Summary
NocoDB: Refresh Tokens Persist Through Password Recovery
Details

Summary

A stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset their password.

Details

passwordChange and passwordReset deleted the user's refresh tokens, but passwordForgot only rotated token_version and revoked OAuth tokens — it did not call UserRefreshToken.deleteAllUserToken(user.id). An attacker holding a captured refresh cookie could still exchange it for a new access token after the victim triggered the recovery flow.

Impact

Persistent unauthorized access after password recovery. Once a refresh token leaks, the documented "Forgot password" recovery flow did not in fact revoke the attacker's session.

Credit

This issue was reported by @bugbunny-research.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "nocodb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.301.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-53928"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-17T14:07:33Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nA stolen refresh token survived a password-forgot flow and could be used to mint fresh\nJWTs even after the user reset their password.\n\n### Details\n`passwordChange` and `passwordReset` deleted the user\u0027s refresh tokens, but\n`passwordForgot` only rotated `token_version` and revoked OAuth tokens \u2014 it did not\ncall `UserRefreshToken.deleteAllUserToken(user.id)`. An attacker holding a captured\nrefresh cookie could still exchange it for a new access token after the victim\ntriggered the recovery flow.\n\n### Impact\nPersistent unauthorized access after password recovery. Once a refresh token leaks, the\ndocumented \"Forgot password\" recovery flow did not in fact revoke the attacker\u0027s\nsession.\n\n### Credit\nThis issue was reported by [@bugbunny-research](https://github.com/bugbunny-research).",
  "id": "GHSA-r989-7g3j-wjhw",
  "modified": "2026-06-17T14:07:33Z",
  "published": "2026-06-17T14:07:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-r989-7g3j-wjhw"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nocodb/nocodb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "NocoDB: Refresh Tokens Persist Through Password Recovery"
}

GHSA-R9RJ-JC5H-JCWH

Vulnerability from github – Published: 2024-02-14 18:30 – Updated: 2024-02-14 18:30
VLAI
Details

When BIG-IP is deployed in high availability (HA) and an iControl REST API token is updated, the change does not sync to the peer device.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-22389"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-14T17:15:12Z",
    "severity": "HIGH"
  },
  "details": "When BIG-IP is deployed in high availability (HA) and an iControl REST API token is updated, the change does not sync to the peer device.  \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated",
  "id": "GHSA-r9rj-jc5h-jcwh",
  "modified": "2024-02-14T18:30:25Z",
  "published": "2024-02-14T18:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22389"
    },
    {
      "type": "WEB",
      "url": "https://my.f5.com/manage/s/article/K32544615"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Set sessions/credentials expiration date.

No CAPEC attack patterns related to this CWE.