CWE-613
Allowed-with-ReviewInsufficient Session Expiration
Abstraction: Base · Status: Incomplete
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
876 vulnerabilities reference this CWE, most recent first.
GHSA-RR6G-4537-6PPF
Vulnerability from github – Published: 2026-04-23 00:31 – Updated: 2026-04-23 00:31IBM Guardium Data Protection 12.0, 12.1, and 12.2 is vulnerable to Security Misconfiguration vulnerability in the user access control panel.
{
"affected": [],
"aliases": [
"CVE-2026-1272"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-23T00:16:44Z",
"severity": "LOW"
},
"details": "IBM Guardium Data Protection 12.0, 12.1, and 12.2 is vulnerable to Security Misconfiguration vulnerability in the user access control panel.",
"id": "GHSA-rr6g-4537-6ppf",
"modified": "2026-04-23T00:31:18Z",
"published": "2026-04-23T00:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1272"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7269445"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RRR3-RPGW-867X
Vulnerability from github – Published: 2026-07-15 12:32 – Updated: 2026-07-15 12:32The Grav API plugin (getgrav/grav-plugin-api) before 2.0.4 contains an improper session invalidation vulnerability where JWT access tokens are issued without a jti (JWT ID) claim and therefore cannot be revoked server-side. Unlike refresh tokens, access tokens remain valid for their full lifetime (default 1 hour) regardless of logout, password change, new token issuance, or account disablement. An attacker who has stolen an access token retains full API access until the token naturally expires.
{
"affected": [],
"aliases": [
"CVE-2026-61452"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-15T12:18:20Z",
"severity": "MODERATE"
},
"details": "The Grav API plugin (getgrav/grav-plugin-api) before 2.0.4 contains an improper session invalidation vulnerability where JWT access tokens are issued without a jti (JWT ID) claim and therefore cannot be revoked server-side. Unlike refresh tokens, access tokens remain valid for their full lifetime (default 1 hour) regardless of logout, password change, new token issuance, or account disablement. An attacker who has stolen an access token retains full API access until the token naturally expires.",
"id": "GHSA-rrr3-rpgw-867x",
"modified": "2026-07-15T12:32:04Z",
"published": "2026-07-15T12:32:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getgrav/grav/security/advisories/GHSA-m8g9-wxhx-6f86"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-61452"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/grav-before-improper-session-invalidation-jwt-access-tokens"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RV9X-WMW4-44QJ
Vulnerability from github – Published: 2023-01-12 03:30 – Updated: 2023-01-20 16:54Pyload 0.5.0b3.dev35 has an Insufficient Session Expiration vulnerability. A patch is available and anticipated to be part of version 0.5.0b3.dev36.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.5.0b3.dev35"
},
"package": {
"ecosystem": "PyPI",
"name": "pyload-ng"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.0b3.dev36"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-0227"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-12T20:54:01Z",
"nvd_published_at": "2023-01-12T01:15:00Z",
"severity": "MODERATE"
},
"details": "Pyload 0.5.0b3.dev35 has an Insufficient Session Expiration vulnerability. A patch is available and anticipated to be part of version 0.5.0b3.dev36.",
"id": "GHSA-rv9x-wmw4-44qj",
"modified": "2023-01-20T16:54:17Z",
"published": "2023-01-12T03:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0227"
},
{
"type": "WEB",
"url": "https://github.com/pyload/pyload/commit/c035714c0596b704b11af0f8a669352f128ad2d9"
},
{
"type": "PACKAGE",
"url": "https://github.com/pyload/pyload"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/af3101d7-fea6-463a-b7e4-a48be219e31b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Pyload Insufficient Session Expiration vulnerability"
}
GHSA-RVM5-9PV9-2RRC
Vulnerability from github – Published: 2025-04-18 15:31 – Updated: 2025-04-18 15:31IBM Sterling Connect:Direct Web Services 6.1.0, 6.2.0, and 6.3.0
does not invalidate session after a browser closure which could allow an authenticated user to impersonate another user on the system.
{
"affected": [],
"aliases": [
"CVE-2024-45651"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-18T11:15:44Z",
"severity": "MODERATE"
},
"details": "IBM Sterling Connect:Direct Web Services 6.1.0, 6.2.0, and 6.3.0 \n\ndoes not invalidate session after a browser closure which could allow an authenticated user to impersonate another user on the system.",
"id": "GHSA-rvm5-9pv9-2rrc",
"modified": "2025-04-18T15:31:38Z",
"published": "2025-04-18T15:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45651"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7231178"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-RVW7-WX4G-RQ78
Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-05-26 13:30Insufficient session expiration vulnerability in syslink software AG Avantra on Linux, Windows allows Reusing Session IDs (aka Session Replay).
This issue affects Avantra: before 25.3.1.
{
"affected": [],
"aliases": [
"CVE-2026-8670"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-22T14:16:29Z",
"severity": "CRITICAL"
},
"details": "Insufficient session expiration vulnerability in syslink software AG Avantra on Linux, Windows allows Reusing Session IDs (aka Session Replay).\n\nThis issue affects Avantra: before 25.3.1.",
"id": "GHSA-rvw7-wx4g-rq78",
"modified": "2026-05-26T13:30:17Z",
"published": "2026-05-26T13:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8670"
},
{
"type": "WEB",
"url": "https://support.avantra.com/hc/en-us/articles/5533929912351"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RW8H-4H76-H2MX
Vulnerability from github – Published: 2025-04-18 18:31 – Updated: 2025-04-22 15:30An access control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows deleted users to retain access to system resources due to improper session invalidation and stale token handling. When an administrator deletes a user account, the backend fails to terminate active sessions and revoke associated API tokens, enabling unauthorized access to restricted functions.
{
"affected": [],
"aliases": [
"CVE-2025-28059"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-18T17:15:34Z",
"severity": "HIGH"
},
"details": "An access control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows deleted users to retain access to system resources due to improper session invalidation and stale token handling. When an administrator deletes a user account, the backend fails to terminate active sessions and revoke associated API tokens, enabling unauthorized access to restricted functions.",
"id": "GHSA-rw8h-4h76-h2mx",
"modified": "2025-04-22T15:30:51Z",
"published": "2025-04-18T18:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-28059"
},
{
"type": "WEB",
"url": "https://github.com/aakashtyal/Residual-Data-Access-Post-User-Deletion-in-Nagios-Network-Analyzer-Version-2024R1"
},
{
"type": "WEB",
"url": "https://www.nagios.com/changelog/#network-analyze"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RX2F-PJ28-88G5
Vulnerability from github – Published: 2022-11-04 12:00 – Updated: 2022-11-04 19:01"IBM MQ Appliance 9.2 CD, 9.2 LTS, 9.3 CD, and LTS 9.3 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235532."
{
"affected": [],
"aliases": [
"CVE-2022-40230"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-03T20:15:00Z",
"severity": "MODERATE"
},
"details": "\"IBM MQ Appliance 9.2 CD, 9.2 LTS, 9.3 CD, and LTS 9.3 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235532.\"",
"id": "GHSA-rx2f-pj28-88g5",
"modified": "2022-11-04T19:01:11Z",
"published": "2022-11-04T12:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40230"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6622051"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RX9C-4X6J-XM83
Vulnerability from github – Published: 2022-05-18 00:00 – Updated: 2022-05-26 00:01A remote authorization bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-23669"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-17T18:15:00Z",
"severity": "HIGH"
},
"details": "A remote authorization bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability.",
"id": "GHSA-rx9c-4x6j-xm83",
"modified": "2022-05-26T00:01:11Z",
"published": "2022-05-18T00:00:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23669"
},
{
"type": "WEB",
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-007.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V2X8-2RV7-79J3
Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-05-24 19:16The IceHrm 30.0.0 OS website was found vulnerable to Session Management Issue. A signout from an admin account does not invalidate an admin session that is opened in a different browser.
{
"affected": [],
"aliases": [
"CVE-2021-38823"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-04T14:15:00Z",
"severity": "CRITICAL"
},
"details": "The IceHrm 30.0.0 OS website was found vulnerable to Session Management Issue. A signout from an admin account does not invalidate an admin session that is opened in a different browser.",
"id": "GHSA-v2x8-2rv7-79j3",
"modified": "2022-05-24T19:16:29Z",
"published": "2022-05-24T19:16:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38823"
},
{
"type": "WEB",
"url": "https://www.navidkagalwalla.com/icehrm-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-V42H-J35F-R8X9
Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2022-05-24 17:32CyberArk Privileged Session Manager (PSM) 10.9.0.15 allows attackers to discover internal pathnames by reading an error popup message after two hours of idle time.
{
"affected": [],
"aliases": [
"CVE-2020-25374"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-28T20:15:00Z",
"severity": "MODERATE"
},
"details": "CyberArk Privileged Session Manager (PSM) 10.9.0.15 allows attackers to discover internal pathnames by reading an error popup message after two hours of idle time.",
"id": "GHSA-v42h-j35f-r8x9",
"modified": "2022-05-24T17:32:32Z",
"published": "2022-05-24T17:32:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25374"
},
{
"type": "WEB",
"url": "https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PAS%20SysReq/System%20Requirements%20-%20PSM.htm"
},
{
"type": "WEB",
"url": "https://medium.com/@virajmota38/full-path-disclosure-8a9358e5a867"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.