Common Weakness Enumeration

CWE-613

Allowed-with-Review

Insufficient Session Expiration

Abstraction: Base · Status: Incomplete

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

876 vulnerabilities reference this CWE, most recent first.

GHSA-RCM4-JV5G-WCCM

Vulnerability from github – Published: 2024-06-07 22:30 – Updated: 2024-06-07 22:30
VLAI
Summary
zfr authentication adapter did not verify validity of tokens
Details

Previous to @2ca5bb1c2f11537be8f94ca6867d8d69789e744a (release 0.1.2), tokens weren't checked for validity/expiration.

This potentially caused a security issue if expired tokens were not deleted after the expiration time was past, allowing anyone to still use invalidated authentication credentials.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zfr/zfr-oauth2-server-module"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-07T22:30:03Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Previous to @2ca5bb1c2f11537be8f94ca6867d8d69789e744a (release [0.1.2](https://github.com/zf-fr/zfr-oauth2-server-module/tree/0.1.2)), tokens weren\u0027t checked for validity/expiration.\n\nThis potentially caused a security issue if expired tokens were not deleted after the expiration time was past, allowing anyone to still use invalidated authentication credentials.",
  "id": "GHSA-rcm4-jv5g-wccm",
  "modified": "2024-06-07T22:30:03Z",
  "published": "2024-06-07T22:30:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zf-fr/zfr-oauth2-server-module/issues/6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zf-fr/zfr-oauth2-server-module/commit/2ca5bb1c2f11537be8f94ca6867d8d69789e744a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zfr/zfr-oauth2-server-module/2014-04-26.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zf-fr/zfr-oauth2-server-module"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zf-fr/zfr-oauth2-server-module/tree/0.1.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "zfr authentication adapter did not verify validity of tokens"
}

GHSA-RCWJ-2HJ2-VMJJ

Vulnerability from github – Published: 2022-02-09 00:23 – Updated: 2022-02-09 00:23
VLAI
Summary
Insufficient Session Expiration in Apache NiFi Registry
Details

If NiFi Registry 0.1.0 to 0.5.0 uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi Registry invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi Registry.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.5.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.nifi.registry:nifi-registry-web-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1.0"
            },
            {
              "fixed": "0.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-9482"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-29T18:36:05Z",
    "nvd_published_at": "2020-04-28T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "If NiFi Registry 0.1.0 to 0.5.0 uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi Registry invalidates the authentication token on the client side but not on the server side. This permits the user\u0027s client-side token to be used for up to 12 hours after logging out to make API requests to NiFi Registry.",
  "id": "GHSA-rcwj-2hj2-vmjj",
  "modified": "2022-02-09T00:23:06Z",
  "published": "2022-02-09T00:23:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9482"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/nifi-registry/pull/259/commits/32f9352465e877d71ad7f85b70f2304ba620e133#diff-a72e640a2c41fe6fe8848066f6a588da2e9e76350bef287d7e145a231042c485"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/nifi-registry/pull/277/files/9f7f1c1b1095e3facdaa986435fa94eff78627dd"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/nifi-registry/commit/2881e29dce3a179f3e56069b82ef8cbb7bd8d85c"
    },
    {
      "type": "WEB",
      "url": "https://nifi.apache.org/registry-security.html#CVE-2020-9482"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insufficient Session Expiration in Apache NiFi Registry"
}

GHSA-RFMR-G36P-H7HG

Vulnerability from github – Published: 2023-10-19 03:30 – Updated: 2024-04-04 08:46
VLAI
Details

HCL Compass is vulnerable to failure to invalidate sessions. The application does not invalidate authenticated sessions when the log out functionality is called.  If the session identifier can be discovered, it could be replayed to the application and used to impersonate the user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-37504"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-19T01:15:08Z",
    "severity": "MODERATE"
  },
  "details": "HCL Compass is vulnerable to failure to invalidate sessions. The application does not invalidate authenticated sessions when the log out functionality is called. \u00a0If the session identifier can be discovered, it could be replayed to the application and used to impersonate the user.\n",
  "id": "GHSA-rfmr-g36p-h7hg",
  "modified": "2024-04-04T08:46:53Z",
  "published": "2023-10-19T03:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37504"
    },
    {
      "type": "WEB",
      "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0107511"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RFQG-QGF8-XR9X

Vulnerability from github – Published: 2026-04-03 03:11 – Updated: 2026-05-06 23:25
VLAI
Summary
OpenClaw: Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation
Details

Summary

Gateway device.token.rotate does not terminate active WebSocket sessions after credential rotation

Current Maintainer Triage

  • Status: open
  • Normalized severity: low
  • Assessment: v2026.3.28 rotates device tokens without disconnecting already-authenticated WebSocket sessions, which is a real but post-compromise revocation gap.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Latest published npm version: 2026.3.31
  • Vulnerable version range: <=2026.3.28
  • Patched versions: >= 2026.3.31
  • First stable tag containing the fix: v2026.3.31

Fix Commit(s)

  • 91f7a6b0fd67b703897e6e307762d471ca09333d — 2026-03-31T09:05:34+09:00

Release Process Note

  • The fix is already present in released version 2026.3.31.
  • This draft looks ready for final maintainer disposition or publication, not additional code-fix work.

Thanks @zsxsoft for reporting.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.3.28"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41356"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-03T03:11:33Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "## Summary\nGateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: low\n- Assessment: v2026.3.28 rotates device tokens without disconnecting already-authenticated WebSocket sessions, which is a real but post-compromise revocation gap.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `\u003c=2026.3.28`\n- Patched versions: `\u003e= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `91f7a6b0fd67b703897e6e307762d471ca09333d` \u2014 2026-03-31T09:05:34+09:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @zsxsoft for reporting.",
  "id": "GHSA-rfqg-qgf8-xr9x",
  "modified": "2026-05-06T23:25:24Z",
  "published": "2026-04-03T03:11:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rfqg-qgf8-xr9x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41356"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/91f7a6b0fd67b703897e6e307762d471ca09333d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-in-device-token-rotate"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation"
}

GHSA-RGQ2-93GJ-FFXG

Vulnerability from github – Published: 2026-05-28 18:30 – Updated: 2026-07-02 18:37
VLAI
Summary
Casdoor doesn't enforce SAML assertion time bounds
Details

Casdoor versions 2.362.0 and earlier do not enforce SAML assertion time bounds. The gosaml2 library reports all time-validation results, including NotOnOrAfter and NotBefore, in the assertionInfo.WarningInfo field. However, ParseSamlResponse() never reads this field, meaning that time bounds are computed by the library but silently discarded before the user session is issued.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/casdoor/casdoor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.1000.1-0.20260321120606-239e8bd69487"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-9096"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-02T18:37:47Z",
    "nvd_published_at": "2026-05-28T17:16:34Z",
    "severity": "HIGH"
  },
  "details": "Casdoor versions 2.362.0 and earlier do not enforce SAML assertion time bounds. The gosaml2 library reports all time-validation results, including NotOnOrAfter and NotBefore, in the assertionInfo.WarningInfo field. However, ParseSamlResponse() never reads this field, meaning that time bounds are computed by the library but silently discarded before the user session is issued.",
  "id": "GHSA-rgq2-93gj-ffxg",
  "modified": "2026-07-02T18:37:47Z",
  "published": "2026-05-28T18:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9096"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/casdoor/casdoor"
    },
    {
      "type": "WEB",
      "url": "https://kb.cert.org/vuls/id/780781"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Casdoor doesn\u0027t enforce SAML assertion time bounds"
}

GHSA-RJR7-PJQ2-V9J9

Vulnerability from github – Published: 2022-01-14 00:02 – Updated: 2022-01-14 00:02
VLAI
Details

In DayByDay CRM, versions 2.2.0 through 2.2.1 (latest) are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22113"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-13T09:15:00Z",
    "severity": "HIGH"
  },
  "details": "In DayByDay CRM, versions 2.2.0 through 2.2.1 (latest) are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed.",
  "id": "GHSA-rjr7-pjq2-v9j9",
  "modified": "2022-01-14T00:02:26Z",
  "published": "2022-01-14T00:02:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22113"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Bottelet/DaybydayCRM/blob/master/config/session.php#L32"
    },
    {
      "type": "WEB",
      "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22113"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-RP4V-HHM6-RCV9

Vulnerability from github – Published: 2022-09-01 22:24 – Updated: 2022-09-08 13:55
VLAI
Summary
Pinniped Supervisor Insufficient Session Expiration vulnerability
Details

Impact

A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially use their access token to continue their session beyond what proper use of their refresh token might allow.

Access tokens issued by the Pinniped Supervisor have an intended expiration lifetime of approximately two minutes. The Pinniped CLI will automatically use the refresh token, which has a lifetime of approximately nine hours, to request a new access token after the access token's advertised expiration time elapses. Starting in Pinniped version 0.13.0, the Supervisor performs checks during each refresh request against the configured external identity provider to determine if the user should be allowed to continue their session. Thus, the short lifetime of the access token is intended to force users to be subjected to those checks often. For example, if a user's account in the external identity provider became locked, the next refresh would fail, and the user should lose access to the Kubernetes clusters fairly quickly. As another example, if a user's group membership changed in the external identity provider, the new group memberships would be reflected in their sessions with Kubernetes clusters within a fairly short window of time.

Access tokens are cached in a local file by the Pinniped CLI (the kubectl plugin) and are sent back to the Supervisor (via HTTPS) to receive cluster-scoped credentials. Due to a bug in this token exchange, the expiration time of the submitted access token was not checked correctly, causing expired access tokens to continue to be accepted by this endpoint until the user's backend session data is deleted, approximately nine hours after their session started. This bug could allow a legitimate user to avoid the checks performed during refresh by maliciously skipping the refresh step.

Note that the Pinniped CLI performs the refresh operation often, so the refresh checks are still performed often under normal usage of the CLI, despite this bug.

Practical impact to versions before v0.13.0 is minimal, since those versions did not perform checks against the external identity provider during refreshes. In these versions, the user can perform refreshes to get a new access tokens without restriction for approximately nine hours, so the duration of their access is effectively unchanged by this bug.

Patches

The impacted token exchange feature was first introduced in v0.3.0. Versions v0.3.0 to v0.18.0 are effected by this bug.

This vulnerability was found by the maintainers of Pinniped and fixed immediately. The fix was introduced in release v0.19.0.

Workarounds

There are no known workarounds. Upgrading the Supervisor is recommended, especially for users of v0.13.0 or newer.

References

The issue was fixed by PR #1264.

For more information

If you have any questions or comments about this advisory, please reach out to the maintainers using one of the methods described in this repo's README.md.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "go.pinniped.dev"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.3.0"
            },
            {
              "fixed": "0.19.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31677"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-01T22:24:05Z",
    "nvd_published_at": "2022-08-29T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nA user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially use their access token to continue their session beyond what proper use of their refresh token might allow.\n\nAccess tokens issued by the Pinniped Supervisor have an intended expiration lifetime of approximately two minutes. The Pinniped CLI will automatically use the refresh token, which has a lifetime of approximately nine hours, to request a new access token after the access token\u0027s advertised expiration time elapses. Starting in Pinniped version 0.13.0, the Supervisor performs checks during each refresh request against the configured external identity provider to determine if the user should be allowed to continue their session. Thus, the short lifetime of the access token is intended to force users to be subjected to those checks often. For example, if a user\u0027s account in the external identity provider became locked, the next refresh would fail, and the user should lose access to the Kubernetes clusters fairly quickly. As another example, if a user\u0027s group membership changed in the external identity provider, the new group memberships would be reflected in their sessions with Kubernetes clusters within a fairly short window of time.\n\nAccess tokens are cached in a local file by the Pinniped CLI (the kubectl plugin) and are sent back to the Supervisor (via HTTPS) to receive cluster-scoped credentials. Due to a bug in this token exchange, the expiration time of the submitted access token was not checked correctly, causing expired access tokens to continue to be accepted by this endpoint until the user\u0027s backend session data is deleted, approximately nine hours after their session started. This bug could allow a legitimate user to avoid the checks performed during refresh by maliciously skipping the refresh step.\n\nNote that the Pinniped CLI performs the refresh operation often, so the refresh checks are still performed often under normal usage of the CLI, despite this bug.\n\nPractical impact to versions before v0.13.0 is minimal, since those versions did not perform checks against the external identity provider during refreshes. In these versions, the user can perform refreshes to get a new access tokens without restriction for approximately nine hours, so the duration of their access is effectively unchanged by this bug.\n\n### Patches\n\nThe impacted token exchange feature was first introduced in v0.3.0. Versions v0.3.0 to v0.18.0 are effected by this bug.\n\nThis vulnerability was found by the maintainers of Pinniped and fixed immediately. The fix was introduced in release v0.19.0.\n\n### Workarounds\n\nThere are no known workarounds. Upgrading the Supervisor is recommended, especially for users of v0.13.0 or newer.\n\n### References\n\nThe issue was fixed by PR [#1264](https://github.com/vmware-tanzu/pinniped/pull/1264).\n\n### For more information\n\nIf you have any questions or comments about this advisory, please reach out to the maintainers using one of the methods described in this repo\u0027s [README.md](https://github.com/vmware-tanzu/pinniped/blob/main/README.md#discussion).\n",
  "id": "GHSA-rp4v-hhm6-rcv9",
  "modified": "2022-09-08T13:55:41Z",
  "published": "2022-09-01T22:24:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-rp4v-hhm6-rcv9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31677"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vmware-tanzu/pinniped/pull/1264"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vmware-tanzu/pinniped"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vmware-tanzu/pinniped/releases/tag/v0.19.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Pinniped Supervisor Insufficient Session Expiration vulnerability"
}

GHSA-RPW8-82V9-3Q87

Vulnerability from github – Published: 2025-09-08 20:05 – Updated: 2025-09-13 04:41
VLAI
Summary
Fides' Admin UI User Password Change Does Not Invalidate Current Session
Details

Summary

Admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained session tokens through other attack vectors (such as XSS) can maintain access even after password reset. This issue is not directly exploitable on its own and requires a prerequisite vulnerability to obtain valid session tokens in the first place.

Details

Fides uses encrypted authentication tokens with extended expiration periods. When a password is changed via password reset endpoints, the system updates the password hash in the database but does not invalidate existing client sessions or tokens. The authentication system validates tokens based on their cryptographic integrity and expiration time, not against the current password state.

The frontend application stores authentication state in browser local storage, which persists across browser sessions until explicit logout or natural token expiration.

This behavior alone does not constitute a directly exploitable vulnerability. The security issue only becomes exploitable when chained with other vulnerabilities or conditions that allow attackers to obtain valid session tokens, such as:

  • Cross-Site Scripting (XSS) attacks that can access browser storage where tokens are stored
  • Session hijacking through network interception
  • Malware on the user's device that can read browser storage
  • Physical device access where attackers can access browser storage directly

Impact

This vulnerability serves as a persistence mechanism in attack chains rather than a primary attack vector. When chained with token theft vulnerabilities, it allows attackers to:

  • Maintain access beyond the remediation window when users change passwords in response to suspected compromise
  • Extend the impact timeframe of client-side attacks from minutes/hours to potentially an extended period
  • Defeat common incident response procedures that rely on password changes to secure compromised accounts

Stored tokens persist across browser sessions until explicit logout or natural expiration.

Patches

The vulnerability has been patched in Fides version 2.69.1. Users are advised to upgrade to this version or later to secure their systems against this threat.

Workarounds

There are no workarounds.

Severity

This vulnerability has been assigned a severity of LOW because:

  • No direct exploitability - requires chaining with other vulnerabilities
  • High attack complexity - multiple successful exploits needed
  • Limited standalone impact - only extends existing compromises
  • Aligns with industry standard classifications of LOW severity for session invalidation failures

This is fundamentally a defense-in-depth issue rather than a primary security vulnerability.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ethyca-fides"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.69.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-57766"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-08T20:05:19Z",
    "nvd_published_at": "2025-09-08T22:15:33Z",
    "severity": "LOW"
  },
  "details": "### Summary\n\nAdmin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained session tokens through other attack vectors (such as XSS) can maintain access even after password reset. This issue is not directly exploitable on its own and requires a prerequisite vulnerability to obtain valid session tokens in the first place.\n\n### Details\n\nFides uses encrypted authentication tokens with extended expiration periods. When a password is changed via password reset endpoints, the system updates the password hash in the database but does not invalidate existing client sessions or tokens. The authentication system validates tokens based on their cryptographic integrity and expiration time, not against the current password state.\n\nThe frontend application stores authentication state in browser local storage, which persists across browser sessions until explicit logout or natural token expiration.\n\nThis behavior alone does not constitute a directly exploitable vulnerability. The security issue only becomes exploitable when chained with other vulnerabilities or conditions that allow attackers to obtain valid session tokens, such as:\n\n- Cross-Site Scripting (XSS) attacks that can access browser storage where tokens are stored\n- Session hijacking through network interception\n- Malware on the user\u0027s device that can read browser storage\n- Physical device access where attackers can access browser storage directly\n\n### Impact\n\nThis vulnerability serves as a persistence mechanism in attack chains rather than a primary attack vector. When chained with token theft vulnerabilities, it allows attackers to:\n\n- Maintain access beyond the remediation window when users change passwords in response to suspected compromise\n- Extend the impact timeframe of client-side attacks from minutes/hours to potentially an extended period\n- Defeat common incident response procedures that rely on password changes to secure compromised accounts\n\nStored tokens persist across browser sessions until explicit logout or natural expiration.\n\n### Patches\n\nThe vulnerability has been patched in Fides version `2.69.1`. Users are advised to upgrade to this version or later to secure their systems against this threat.\n\n### Workarounds\n\nThere are no workarounds.\n\n### Severity\n\nThis vulnerability has been assigned a severity of **LOW** because:\n\n- No direct exploitability - requires chaining with other vulnerabilities\n- High attack complexity - multiple successful exploits needed\n- Limited standalone impact - only extends existing compromises\n- Aligns with industry standard classifications of LOW severity for session invalidation failures\n\nThis is fundamentally a defense-in-depth issue rather than a primary security vulnerability.",
  "id": "GHSA-rpw8-82v9-3q87",
  "modified": "2025-09-13T04:41:02Z",
  "published": "2025-09-08T20:05:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ethyca/fides/security/advisories/GHSA-rpw8-82v9-3q87"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57766"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ethyca/fides/commit/8daec4f5ad3daf0f0bdab4814f6757eb0965104b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ethyca/fides"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ethyca/fides/releases/tag/2.69.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Fides\u0027 Admin UI User Password Change Does Not Invalidate Current Session"
}

GHSA-RPX3-F938-XJ5Q

Vulnerability from github – Published: 2025-09-24 03:30 – Updated: 2025-12-16 23:59
VLAI
Summary
Liferay Portal and DXP does not properly expire sessions
Details

Summary

Liferay Portal/DXP contains an Insufficient Session Expiration issue where the Single Logout (SLO) API may fail to invalidate a user’s previous session. An attacker can reuse a stale session via the SLO endpoint to gain an authenticated context.

Affected Versions

The following platform versions are affected:

  • Liferay Portal:
    • 7.3.3.131 through 7.4.3.121
  • Liferay DXP:
    • 2024.Q4.02024.Q4.3
    • 2024.Q3.12024.Q3.13
    • 2024.Q2.02024.Q2.13
    • 2024.Q1.12024.Q1.12

Remediation

Update to the fixed builds and, for Maven consumers of the SAML module, upgrade com.liferay:com.liferay.saml.impl to 5.0.51 or later. After upgrading, ensure session invalidation policies are enforced and verify SLO behavior end-to-end.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay:com.liferay.saml.impl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.51"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-43819"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-24T17:28:45Z",
    "nvd_published_at": "2025-09-24T02:15:31Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nLiferay Portal/DXP contains an Insufficient Session Expiration issue where the Single Logout (SLO) API may fail to invalidate a user\u2019s previous session. An attacker can reuse a stale session via the SLO endpoint to gain an authenticated context.\n\n### Affected Versions\n\nThe following platform versions are affected:\n\n*   **Liferay Portal:**  \n    *   `7.3.3.131` through `7.4.3.121`\n*   **Liferay DXP:**\n    *   `2024.Q4.0`\u2013`2024.Q4.3`\n    *   `2024.Q3.1`\u2013`2024.Q3.13`\n    *   `2024.Q2.0`\u2013`2024.Q2.13`\n    *   `2024.Q1.1`\u2013`2024.Q1.12`\n\n### Remediation\n\nUpdate to the fixed builds and, for Maven consumers of the SAML module, upgrade `com.liferay:com.liferay.saml.impl` to **5.0.51** or later. After upgrading, ensure session invalidation policies are enforced and verify SLO behavior end-to-end.",
  "id": "GHSA-rpx3-f938-xj5q",
  "modified": "2025-12-16T23:59:11Z",
  "published": "2025-09-24T03:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43819"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/433dff5edae4414fdc436b49a9edb62d721c84b5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/da9105a61d788801797797a32583a4b76c902cdc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/liferay/liferay-portal"
    },
    {
      "type": "WEB",
      "url": "https://liferay.atlassian.net/browse/LPE-18159"
    },
    {
      "type": "WEB",
      "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43819"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-rpx3-f938-xj5q"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Liferay Portal and DXP does not properly expire sessions"
}

GHSA-RQ9W-G596-24V3

Vulnerability from github – Published: 2022-05-24 17:40 – Updated: 2022-05-24 17:40
VLAI
Details

HCL OneTest Performance V9.5, V10.0, V10.1 contains an inadequate session timeout, which could allow an attacker time to guess and use a valid session ID.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-14247"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-04T07:15:00Z",
    "severity": "MODERATE"
  },
  "details": "HCL OneTest Performance V9.5, V10.0, V10.1 contains an inadequate session timeout, which could allow an attacker time to guess and use a valid session ID.",
  "id": "GHSA-rq9w-g596-24v3",
  "modified": "2022-05-24T17:40:56Z",
  "published": "2022-05-24T17:40:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14247"
    },
    {
      "type": "WEB",
      "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0086469"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Implementation

Set sessions/credentials expiration date.

No CAPEC attack patterns related to this CWE.