CWE-613
Allowed-with-ReviewInsufficient Session Expiration
Abstraction: Base · Status: Incomplete
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
875 vulnerabilities reference this CWE, most recent first.
GHSA-W5MG-8GPQ-PMWQ
Vulnerability from github – Published: 2022-05-13 01:20 – Updated: 2022-05-13 01:20XS Command-Line Interface (CLI) user sessions with the SAP HANA Extended Application Services (XS), version 1, advanced server may have an unintentional prolonged period of validity. Consequently, a platform user could access controller resources via active CLI session even after corresponding authorizations have been revoked meanwhile by an administrator user. Similarly, an attacker who managed to gain access to the platform user's session might misuse the session token even after the session has been closed.
{
"affected": [],
"aliases": [
"CVE-2018-2451"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-14T16:29:00Z",
"severity": "MODERATE"
},
"details": "XS Command-Line Interface (CLI) user sessions with the SAP HANA Extended Application Services (XS), version 1, advanced server may have an unintentional prolonged period of validity. Consequently, a platform user could access controller resources via active CLI session even after corresponding authorizations have been revoked meanwhile by an administrator user. Similarly, an attacker who managed to gain access to the platform user\u0027s session might misuse the session token even after the session has been closed.",
"id": "GHSA-w5mg-8gpq-pmwq",
"modified": "2022-05-13T01:20:00Z",
"published": "2022-05-13T01:20:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-2451"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/2590705"
},
{
"type": "WEB",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=499352742"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105091"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W6CC-5826-4FQ3
Vulnerability from github – Published: 2026-02-27 00:31 – Updated: 2026-03-05 21:30The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.
{
"affected": [],
"aliases": [
"CVE-2026-20895"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-27T00:16:56Z",
"severity": "HIGH"
},
"details": "The WebSocket backend uses charging station identifiers to uniquely \nassociate sessions but allows multiple endpoints to connect using the \nsame session identifier. This implementation results in predictable \nsession identifiers and enables session hijacking or shadowing, where \nthe most recent connection displaces the legitimate charging station and\n receives backend commands intended for that station. This vulnerability\n may allow unauthorized users to authenticate as other users or enable a\n malicious actor to cause a denial-of-service condition by overwhelming \nthe backend with valid session requests.",
"id": "GHSA-w6cc-5826-4fq3",
"modified": "2026-03-05T21:30:27Z",
"published": "2026-02-27T00:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20895"
},
{
"type": "WEB",
"url": "https://ev2go.io"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-04.json"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-04"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-W6WM-HQX9-7CQ8
Vulnerability from github – Published: 2026-02-24 21:31 – Updated: 2026-02-27 03:30Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior implement an authentication token (X-User-Token) with insufficient expiration. An attacker who obtains a valid token (for example via interception, log exposure, or token reuse on a shared system) can continue to authenticate to the management interface until the token is revoked, enabling unauthorized access to device functions and data.
{
"affected": [],
"aliases": [
"CVE-2026-26342"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-24T20:27:48Z",
"severity": "HIGH"
},
"details": "Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior implement an authentication token (X-User-Token) with insufficient expiration. An attacker who obtains a valid token (for example via interception, log exposure, or token reuse on a shared system) can continue to authenticate to the management interface until the token is revoked, enabling unauthorized access to device functions and data.",
"id": "GHSA-w6wm-hqx9-7cq8",
"modified": "2026-02-27T03:30:26Z",
"published": "2026-02-24T21:31:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26342"
},
{
"type": "WEB",
"url": "https://www.tattile.com"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/tattile-smart-vega-basic-insufficient-session-token-expiration"
},
{
"type": "WEB",
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5976.php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-W87J-439W-P9F3
Vulnerability from github – Published: 2022-03-24 00:00 – Updated: 2025-11-03 21:30A vulnerability was found in the 389 Directory Server that allows expired passwords to access the database to cause improper authentication.
{
"affected": [],
"aliases": [
"CVE-2022-0996"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-23T20:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in the 389 Directory Server that allows expired passwords to access the database to cause improper authentication.",
"id": "GHSA-w87j-439w-p9f3",
"modified": "2025-11-03T21:30:38Z",
"published": "2022-03-24T00:00:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0996"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:5239"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:5620"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:5823"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:8162"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:8976"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2022-0996"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064769"
},
{
"type": "WEB",
"url": "https://github.com/ByteHackr/389-ds-base"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00026.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00015.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4QFD7CBBX3IZOSHEWL2EYKRLOEQSXCZ6"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYT2IQJFHQWZENJJRY6EJB3XIFZGNT7F"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4QFD7CBBX3IZOSHEWL2EYKRLOEQSXCZ6"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYT2IQJFHQWZENJJRY6EJB3XIFZGNT7F"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W8FX-FM62-WW3Q
Vulnerability from github – Published: 2022-10-07 18:15 – Updated: 2022-10-10 00:00IBM InfoSphere Information Server 11.7 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 236699.
{
"affected": [],
"aliases": [
"CVE-2022-41291"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-07T17:15:00Z",
"severity": "MODERATE"
},
"details": "IBM InfoSphere Information Server 11.7 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 236699.",
"id": "GHSA-w8fx-fm62-ww3q",
"modified": "2022-10-10T00:00:32Z",
"published": "2022-10-07T18:15:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41291"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/236699"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6823109"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W8HX-XWGF-2M86
Vulnerability from github – Published: 2025-04-14 09:30 – Updated: 2025-04-14 09:30Mattermost Mobile Apps versions <=2.25.0 fail to terminate sessions during logout under certain conditions (e.g. poor connectivity), allowing unauthorized users on shared devices to access sensitive notification content via continued mobile notifications
{
"affected": [],
"aliases": [
"CVE-2025-30516"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-14T07:15:14Z",
"severity": "LOW"
},
"details": "Mattermost Mobile Apps versions \u003c=2.25.0\u00a0 fail to terminate sessions during logout under certain conditions (e.g. poor connectivity), allowing unauthorized users on shared devices to access sensitive notification content via continued mobile notifications",
"id": "GHSA-w8hx-xwgf-2m86",
"modified": "2025-04-14T09:30:24Z",
"published": "2025-04-14T09:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30516"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W8W3-M5JX-QWWR
Vulnerability from github – Published: 2022-05-14 03:20 – Updated: 2022-05-14 03:20A denial of service vulnerability exists in Schneider Electric's MiCOM Px4x (P540 range excluded) with legacy Ethernet board, MiCOM P540D Range with Legacy Ethernet Board, and MiCOM Px4x Rejuvenated could lose network communication in case of TCP/IP open requests on port 20000 (DNP3oE) if an older TCI/IP session is still open with identical IP address and port number.
{
"affected": [],
"aliases": [
"CVE-2018-7758"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-18T20:29:00Z",
"severity": "MODERATE"
},
"details": "A denial of service vulnerability exists in Schneider Electric\u0027s MiCOM Px4x (P540 range excluded) with legacy Ethernet board, MiCOM P540D Range with Legacy Ethernet Board, and MiCOM Px4x Rejuvenated could lose network communication in case of TCP/IP open requests on port 20000 (DNP3oE) if an older TCI/IP session is still open with identical IP address and port number.",
"id": "GHSA-w8w3-m5jx-qwwr",
"modified": "2022-05-14T03:20:49Z",
"published": "2022-05-14T03:20:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7758"
},
{
"type": "WEB",
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-074-02"
},
{
"type": "WEB",
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-074-03"
},
{
"type": "WEB",
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-074-04"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W9G9-CC2C-QXCQ
Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2022-05-24 17:30IBM Security Access Manager Appliance 9.0.7 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 179358.
{
"affected": [],
"aliases": [
"CVE-2020-4395"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-14T17:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Security Access Manager Appliance 9.0.7 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 179358.",
"id": "GHSA-w9g9-cc2c-qxcq",
"modified": "2022-05-24T17:30:40Z",
"published": "2022-05-24T17:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4395"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/179358"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6347592"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WFGV-4XH4-MFF6
Vulnerability from github – Published: 2023-02-20 18:30 – Updated: 2023-03-06 21:30Expired sessions were not securely terminated in the RestAPI for Tribe29's Checkmk <= 2.1.0p10 and Checkmk <= 2.0.0p28 allowing an attacker to use expired session tokens when communicating with the RestAPI.
{
"affected": [],
"aliases": [
"CVE-2022-48317"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-20T17:15:00Z",
"severity": "CRITICAL"
},
"details": "Expired sessions were not securely terminated in the RestAPI for Tribe29\u0027s Checkmk \u003c= 2.1.0p10 and Checkmk \u003c= 2.0.0p28 allowing an attacker to use expired session tokens when communicating with the RestAPI.",
"id": "GHSA-wfgv-4xh4-mff6",
"modified": "2023-03-06T21:30:19Z",
"published": "2023-02-20T18:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48317"
},
{
"type": "WEB",
"url": "https://checkmk.com/werk/14485"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WHGG-X7CG-V7R9
Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-05-24 17:41IBM Security Identity Governance and Intelligence 5.2.6 does not invalidate session after logout which could allow a user to obtain sensitive information from another users' session. IBM X-Force ID: 192912.
{
"affected": [],
"aliases": [
"CVE-2020-4995"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-09T15:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Security Identity Governance and Intelligence 5.2.6 does not invalidate session after logout which could allow a user to obtain sensitive information from another users\u0027 session. IBM X-Force ID: 192912.",
"id": "GHSA-whgg-x7cg-v7r9",
"modified": "2022-05-24T17:41:31Z",
"published": "2022-05-24T17:41:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4995"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/192912"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6413393"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.