Common Weakness Enumeration
CWE-613
Allowed-with-ReviewInsufficient Session Expiration
Abstraction: Base · Status: Incomplete
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
875 vulnerabilities reference this CWE, most recent first.
CVE-2023-40537 (GCVE-0-2023-40537)
Vulnerability from cvelistv5 – Published: 2023-10-10 12:32 – Updated: 2024-09-19 13:42
VLAI
EPSS
VEX
Title
Multi-blade VIPRION Configuration utility session cookie vulnerability
Summary
An authenticated user's session cookie may remain valid for a limited time after logging out from the BIG-IP Configuration utility on a multi-blade VIPRION platform.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://my.f5.com/manage/s/article/K29141800 | vendor-advisory |
Impacted products
Date Public
2023-10-18 14:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:38:50.347Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://my.f5.com/manage/s/article/K29141800"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40537",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-19T13:41:53.174039Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T13:42:04.256Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"All Modules"
],
"platforms": [
"Multi-blade VIPRION"
],
"product": "BIG-IP",
"vendor": "F5",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "17.1.0",
"versionType": "semver"
},
{
"lessThan": "16.1.4",
"status": "affected",
"version": "16.1.0",
"versionType": "semver"
},
{
"lessThan": "15.1.9",
"status": "affected",
"version": "15.1.0",
"versionType": "semver"
},
{
"lessThan": "*",
"status": "affected",
"version": "14.1.0",
"versionType": "semver"
},
{
"lessThan": "*",
"status": "affected",
"version": "13.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "F5"
}
],
"datePublic": "2023-10-18T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn authenticated user\u0027s session cookie may remain valid for a limited time after logging out from the BIG-IP Configuration utility on a multi-blade VIPRION platform.\u0026nbsp;\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\n\n\u003c/span\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "\nAn authenticated user\u0027s session cookie may remain valid for a limited time after logging out from the BIG-IP Configuration utility on a multi-blade VIPRION platform.\u00a0\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\n\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-10T12:32:50.806Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://my.f5.com/manage/s/article/K29141800"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Multi-blade VIPRION Configuration utility session cookie vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2023-40537",
"datePublished": "2023-10-10T12:32:50.806Z",
"dateReserved": "2023-10-05T19:17:25.713Z",
"dateUpdated": "2024-09-19T13:42:04.256Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40174 (GCVE-0-2023-40174)
Vulnerability from cvelistv5 – Published: 2023-08-18 21:41 – Updated: 2024-10-03 14:16
VLAI
EPSS
VEX
Title
Insufficient Session Expiration in fobybus/social-media-skeleton
Summary
Social media skeleton is an uncompleted/framework social media project implemented using a php, css ,javascript and html. Insufficient session expiration is a web application security vulnerability that occurs when a web application does not properly manage the lifecycle of a user's session. Social media skeleton releases prior to 1.0.5 did not properly limit manage user session lifecycles. This issue has been addressed in version 1.0.5 and users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
6.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/fobybus/social-media-skeleton/… | x_refsource_CONFIRM |
| https://github.com/fobybus/social-media-skeleton/… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| fobybus | social-media-skeleton |
Affected:
< 1.0.5
|
|
| fobybus | social-media-skeleton |
Affected:
0 , < 1.0.5
(custom)
cpe:2.3:a:fobybus:social-media-skeleton:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:24:55.684Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-cr5c-ggwq-g4hq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-cr5c-ggwq-g4hq"
},
{
"name": "https://github.com/fobybus/social-media-skeleton/commit/99738b2cc5efb6a5739161c931daa43f99431e5a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fobybus/social-media-skeleton/commit/99738b2cc5efb6a5739161c931daa43f99431e5a"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:fobybus:social-media-skeleton:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "social-media-skeleton",
"vendor": "fobybus",
"versions": [
{
"lessThan": "1.0.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40174",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T14:13:47.949316Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T14:16:00.246Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "social-media-skeleton",
"vendor": "fobybus",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Social media skeleton is an uncompleted/framework social media project implemented using a php, css ,javascript and html. Insufficient session expiration is a web application security vulnerability that occurs when a web application does not properly manage the lifecycle of a user\u0027s session. Social media skeleton releases prior to 1.0.5 did not properly limit manage user session lifecycles. This issue has been addressed in version 1.0.5 and users are advised to upgrade. There are no known workarounds for this vulnerability.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-18T21:41:53.666Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-cr5c-ggwq-g4hq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fobybus/social-media-skeleton/security/advisories/GHSA-cr5c-ggwq-g4hq"
},
{
"name": "https://github.com/fobybus/social-media-skeleton/commit/99738b2cc5efb6a5739161c931daa43f99431e5a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fobybus/social-media-skeleton/commit/99738b2cc5efb6a5739161c931daa43f99431e5a"
}
],
"source": {
"advisory": "GHSA-cr5c-ggwq-g4hq",
"discovery": "UNKNOWN"
},
"title": "Insufficient Session Expiration in fobybus/social-media-skeleton"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-40174",
"datePublished": "2023-08-18T21:41:53.666Z",
"dateReserved": "2023-08-09T15:26:41.052Z",
"dateUpdated": "2024-10-03T14:16:00.246Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40025 (GCVE-0-2023-40025)
Vulnerability from cvelistv5 – Published: 2023-08-23 19:12 – Updated: 2024-10-01 15:52
VLAI
EPSS
VEX
Title
Argo CD web terminal session doesn't expire
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting from version 2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages even if the token has already expired. The most straightforward scenario is when a user opens the terminal view and leaves it open for an extended period. This allows the user to view sensitive information even when they should have been logged out already. A patch for this vulnerability has been released in the following Argo CD versions: 2.6.14, 2.7.12 and 2.8.1.
Severity
4.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/argoproj/argo-cd/security/advi… | x_refsource_CONFIRM |
| https://github.com/argoproj/argo-cd/commit/e047ef… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:24:54.647Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-c8xw-vjgf-94hr",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-c8xw-vjgf-94hr"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/e047efa8f9518c54d00d2e4493b64bc4dba98478",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/commit/e047efa8f9518c54d00d2e4493b64bc4dba98478"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40025",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-01T15:07:03.559942Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-01T15:52:16.513Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.6.0, \u003c 2.6.14"
},
{
"status": "affected",
"version": "\u003e= 2.7.0, \u003c 2.7.12"
},
{
"status": "affected",
"version": "= 2.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting from version 2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages even if the token has already expired. The most straightforward scenario is when a user opens the terminal view and leaves it open for an extended period. This allows the user to view sensitive information even when they should have been logged out already. A patch for this vulnerability has been released in the following Argo CD versions: 2.6.14, 2.7.12 and 2.8.1.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-23T19:12:04.016Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-c8xw-vjgf-94hr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-c8xw-vjgf-94hr"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/e047efa8f9518c54d00d2e4493b64bc4dba98478",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/e047efa8f9518c54d00d2e4493b64bc4dba98478"
}
],
"source": {
"advisory": "GHSA-c8xw-vjgf-94hr",
"discovery": "UNKNOWN"
},
"title": "Argo CD web terminal session doesn\u0027t expire"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-40025",
"datePublished": "2023-08-23T19:12:04.016Z",
"dateReserved": "2023-08-08T13:46:25.243Z",
"dateUpdated": "2024-10-01T15:52:16.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-38489 (GCVE-0-2023-38489)
Vulnerability from cvelistv5 – Published: 2023-07-27 14:36 – Updated: 2024-10-23 13:34
VLAI
EPSS
VEX
Title
Kirby vulnerable to Insufficient Session Expiration after a password change
Summary
Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). It can only be abused if a Kirby user is logged in on a device or browser that is shared with potentially untrusted users or if an attacker already maliciously used a previous password to log in to a Kirby site as the affected user.
Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization. In the variation described in this advisory, it allows attackers to stay logged in to a Kirby site on another device even if the logged in user has since changed their password. Kirby did not invalidate user sessions that were created with a password that was since changed by the user or by a site admin. If a user changed their password to lock out an attacker who was already in possession of the previous password or of a login session on another device or browser, the attacker would not be reliably prevented from accessing the Kirby site as the affected user.
The problem has been patched in Kirby 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6. In all of the mentioned releases, the maintainers have updated the authentication implementation to keep track of the hashed password in each active session. If the password changed since the login, the session is invalidated. To enforce this fix even if the vulnerability was previously abused, all users are logged out from the Kirby site after updating to one of the patched releases.
Severity
7.3 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://github.com/getkirby/kirby/security/adviso… | x_refsource_CONFIRM |
| https://github.com/getkirby/kirby/commit/7a0a2014… | x_refsource_MISC |
| https://github.com/getkirby/kirby/releases/tag/3.5.8.3 | x_refsource_MISC |
| https://github.com/getkirby/kirby/releases/tag/3.6.6.3 | x_refsource_MISC |
| https://github.com/getkirby/kirby/releases/tag/3.7.5.2 | x_refsource_MISC |
| https://github.com/getkirby/kirby/releases/tag/3.8.4.1 | x_refsource_MISC |
| https://github.com/getkirby/kirby/releases/tag/3.9.6 | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| getkirby | kirby |
Affected:
< 3.5.8.3
Affected: >= 3.6.0, < 3.6.6.3 Affected: >= 3.7.0, < 3.7.5.2 Affected: >= 3.8.0, < 3.8.41 Affected: >= 3.9.0, < 3.9.6 |
|
| getkirby | kirby |
Affected:
0 , < 3.5.8.3
(custom)
Affected: 3.60 , < 3.6.6.3 (custom) Affected: 3.70 , < 3.7.5.2 (custom) Affected: 3.8.0 , < 3.8.41 (custom) Affected: 3.9.0 , < 3.9.6 (custom) cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:39:13.572Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/getkirby/kirby/security/advisories/GHSA-5mvj-rvp8-rf45",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/getkirby/kirby/security/advisories/GHSA-5mvj-rvp8-rf45"
},
{
"name": "https://github.com/getkirby/kirby/commit/7a0a2014c69fdb925ea02f30e7793bb50115e931",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getkirby/kirby/commit/7a0a2014c69fdb925ea02f30e7793bb50115e931"
},
{
"name": "https://github.com/getkirby/kirby/releases/tag/3.5.8.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getkirby/kirby/releases/tag/3.5.8.3"
},
{
"name": "https://github.com/getkirby/kirby/releases/tag/3.6.6.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getkirby/kirby/releases/tag/3.6.6.3"
},
{
"name": "https://github.com/getkirby/kirby/releases/tag/3.7.5.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getkirby/kirby/releases/tag/3.7.5.2"
},
{
"name": "https://github.com/getkirby/kirby/releases/tag/3.8.4.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getkirby/kirby/releases/tag/3.8.4.1"
},
{
"name": "https://github.com/getkirby/kirby/releases/tag/3.9.6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getkirby/kirby/releases/tag/3.9.6"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "kirby",
"vendor": "getkirby",
"versions": [
{
"lessThan": "3.5.8.3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.6.6.3",
"status": "affected",
"version": "3.60",
"versionType": "custom"
},
{
"lessThan": "3.7.5.2",
"status": "affected",
"version": "3.70",
"versionType": "custom"
},
{
"lessThan": "3.8.41",
"status": "affected",
"version": "3.8.0",
"versionType": "custom"
},
{
"lessThan": "3.9.6",
"status": "affected",
"version": "3.9.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38489",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T13:28:36.556310Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T13:34:03.258Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kirby",
"vendor": "getkirby",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.8.3"
},
{
"status": "affected",
"version": "\u003e= 3.6.0, \u003c 3.6.6.3"
},
{
"status": "affected",
"version": "\u003e= 3.7.0, \u003c 3.7.5.2"
},
{
"status": "affected",
"version": "\u003e= 3.8.0, \u003c 3.8.41"
},
{
"status": "affected",
"version": "\u003e= 3.9.0, \u003c 3.9.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby\u0027s API and Panel are disabled in the config). It can only be abused if a Kirby user is logged in on a device or browser that is shared with potentially untrusted users or if an attacker already maliciously used a previous password to log in to a Kirby site as the affected user.\n\nInsufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization. In the variation described in this advisory, it allows attackers to stay logged in to a Kirby site on another device even if the logged in user has since changed their password. Kirby did not invalidate user sessions that were created with a password that was since changed by the user or by a site admin. If a user changed their password to lock out an attacker who was already in possession of the previous password or of a login session on another device or browser, the attacker would not be reliably prevented from accessing the Kirby site as the affected user.\n\nThe problem has been patched in Kirby 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6. In all of the mentioned releases, the maintainers have updated the authentication implementation to keep track of the hashed password in each active session. If the password changed since the login, the session is invalidated. To enforce this fix even if the vulnerability was previously abused, all users are logged out from the Kirby site after updating to one of the patched releases."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-27T15:46:54.264Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/getkirby/kirby/security/advisories/GHSA-5mvj-rvp8-rf45",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/getkirby/kirby/security/advisories/GHSA-5mvj-rvp8-rf45"
},
{
"name": "https://github.com/getkirby/kirby/commit/7a0a2014c69fdb925ea02f30e7793bb50115e931",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getkirby/kirby/commit/7a0a2014c69fdb925ea02f30e7793bb50115e931"
},
{
"name": "https://github.com/getkirby/kirby/releases/tag/3.5.8.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getkirby/kirby/releases/tag/3.5.8.3"
},
{
"name": "https://github.com/getkirby/kirby/releases/tag/3.6.6.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getkirby/kirby/releases/tag/3.6.6.3"
},
{
"name": "https://github.com/getkirby/kirby/releases/tag/3.7.5.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getkirby/kirby/releases/tag/3.7.5.2"
},
{
"name": "https://github.com/getkirby/kirby/releases/tag/3.8.4.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getkirby/kirby/releases/tag/3.8.4.1"
},
{
"name": "https://github.com/getkirby/kirby/releases/tag/3.9.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getkirby/kirby/releases/tag/3.9.6"
}
],
"source": {
"advisory": "GHSA-5mvj-rvp8-rf45",
"discovery": "UNKNOWN"
},
"title": "Kirby vulnerable to Insufficient Session Expiration after a password change"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-38489",
"datePublished": "2023-07-27T14:36:46.189Z",
"dateReserved": "2023-07-18T16:28:12.075Z",
"dateUpdated": "2024-10-23T13:34:03.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-37919 (GCVE-0-2023-37919)
Vulnerability from cvelistv5 – Published: 2023-07-25 20:42 – Updated: 2024-10-16 19:45
VLAI
EPSS
VEX
Title
Cal.com not expiring old sessions after enabling 2FA
Summary
Cal.com is open-source scheduling software. A vulnerability allows active sessions associated with an account to remain active even after enabling 2FA. When activating 2FA on a Cal.com account that is logged in on two or more devices, the account stays logged in on the other device(s) stays logged in without having to verify the account owner's identity. As of time of publication, no known patches or workarounds exist.
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/calcom/cal.com/security/adviso… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:23:27.790Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/calcom/cal.com/security/advisories/GHSA-cpf2-q635-xrwx",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/calcom/cal.com/security/advisories/GHSA-cpf2-q635-xrwx"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cal:cal.com:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cal.com",
"vendor": "cal",
"versions": [
{
"lessThanOrEqual": "3.1.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-37919",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-16T19:02:55.165070Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-16T19:45:12.080Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cal.com",
"vendor": "calcom",
"versions": [
{
"status": "affected",
"version": "\u003c= 3.1.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cal.com is open-source scheduling software. A vulnerability allows active sessions associated with an account to remain active even after enabling 2FA. When activating 2FA on a Cal.com account that is logged in on two or more devices, the account stays logged in on the other device(s) stays logged in without having to verify the account owner\u0027s identity. As of time of publication, no known patches or workarounds exist."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-25T20:42:28.825Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/calcom/cal.com/security/advisories/GHSA-cpf2-q635-xrwx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/calcom/cal.com/security/advisories/GHSA-cpf2-q635-xrwx"
}
],
"source": {
"advisory": "GHSA-cpf2-q635-xrwx",
"discovery": "UNKNOWN"
},
"title": "Cal.com not expiring old sessions after enabling 2FA"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-37919",
"datePublished": "2023-07-25T20:42:28.825Z",
"dateReserved": "2023-07-10T17:51:29.612Z",
"dateUpdated": "2024-10-16T19:45:12.080Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-37570 (GCVE-0-2023-37570)
Vulnerability from cvelistv5 – Published: 2023-08-08 08:11 – Updated: 2024-10-10 17:58
VLAI
EPSS
VEX
Title
Insufficient Session Expiration Vulnerability in Emagic Data Center Management Suite
Summary
This vulnerability exists in ESDS Emagic Data Center Management Suit due to non-expiry of session cookie.
By reusing the stolen cookie, a remote attacker could gain unauthorized access to the targeted system.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ESDS | Emagic Data Center Management Suite |
Affected:
0 , ≤ V6.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:16:30.849Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2023-0226"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-37570",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T17:58:04.736582Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T17:58:16.654Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Emagic Data Center Management Suite",
"vendor": "ESDS",
"versions": [
{
"lessThanOrEqual": "V6.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Chinamay Joshi of ESDS Software Solution Limited, Maharashtra"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This vulnerability exists in ESDS Emagic Data Center Management Suit due to non-expiry of session cookie. \u003cbr\u003eBy reusing the stolen cookie, a remote attacker could gain unauthorized access to the targeted system.\u003cbr\u003e"
}
],
"value": "This vulnerability exists in ESDS Emagic Data Center Management Suit due to non-expiry of session cookie. \nBy reusing the stolen cookie, a remote attacker could gain unauthorized access to the targeted system.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-114",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-114 Authentication Abuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-08T08:11:08.948Z",
"orgId": "66834db9-ab24-42b4-be80-296b2e40335c",
"shortName": "CERT-In"
},
"references": [
{
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2023-0226"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to Enlight360 Datacenter Management Center Suite with latest version v8.9\u003cbr\u003e"
}
],
"value": "Upgrade to Enlight360 Datacenter Management Center Suite with latest version v8.9\n"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Insufficient Session Expiration Vulnerability in Emagic Data Center Management Suite"
}
},
"cveMetadata": {
"assignerOrgId": "66834db9-ab24-42b4-be80-296b2e40335c",
"assignerShortName": "CERT-In",
"cveId": "CVE-2023-37570",
"datePublished": "2023-08-08T08:11:08.948Z",
"dateReserved": "2023-07-07T09:41:33.905Z",
"dateUpdated": "2024-10-10T17:58:16.654Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-33303 (GCVE-0-2023-33303)
Vulnerability from cvelistv5 – Published: 2023-10-13 14:32 – Updated: 2025-12-16 18:23
VLAI
EPSS
VEX
Summary
A insufficient session expiration in Fortinet FortiEDR version 5.0.0 through 5.0.1 allows attacker to execute unauthorized code or commands via api request
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-613 - Execute unauthorized code or commands
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:39:36.268Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://fortiguard.com/psirt/FG-IR-23-007",
"tags": [
"x_transferred"
],
"url": "https://fortiguard.com/psirt/FG-IR-23-007"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33303",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T20:55:44.057314Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T18:23:23.819Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FortiEDR",
"vendor": "Fortinet",
"versions": [
{
"lessThanOrEqual": "5.0.1",
"status": "affected",
"version": "5.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A insufficient session expiration in Fortinet FortiEDR version 5.0.0 through 5.0.1 allows attacker to execute unauthorized code or commands via api request"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:X",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "Execute unauthorized code or commands",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-13T15:15:55.961Z",
"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"shortName": "fortinet"
},
"references": [
{
"name": "https://fortiguard.com/psirt/FG-IR-23-007",
"url": "https://fortiguard.com/psirt/FG-IR-23-007"
}
],
"solutions": [
{
"lang": "en",
"value": "Please upgrade to FortiEDR version 5.2.0.2501 or above\r\nPlease upgrade to FortiEDR version 5.0.3.873 or above"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"assignerShortName": "fortinet",
"cveId": "CVE-2023-33303",
"datePublished": "2023-10-13T14:32:30.544Z",
"dateReserved": "2023-05-22T07:58:22.197Z",
"dateUpdated": "2025-12-16T18:23:23.819Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-32318 (GCVE-0-2023-32318)
Vulnerability from cvelistv5 – Published: 2023-05-26 17:21 – Updated: 2025-01-14 19:33
VLAI
EPSS
VEX
Title
User session not correctly destroyed on logout
Summary
Nextcloud server provides a home for data. A regression in the session handling between Nextcloud Server and the Nextcloud Text app prevented a correct destruction of the session on logout if cookies were not cleared manually. After successfully authenticating with any other account the previous session would be continued and the attacker would be authenticated as the previously logged in user. It is recommended that the Nextcloud Server is upgraded to 25.0.6 or 26.0.1.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/nextcloud/security-advisories/… | x_refsource_CONFIRM |
| https://github.com/nextcloud/text/pull/3946 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | security-advisories |
Affected:
>= 25.0.2, < 25.0.6
Affected: >= 26.0.0, < 26.0.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:10:24.851Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q8c4-chpj-6v38",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q8c4-chpj-6v38"
},
{
"name": "https://github.com/nextcloud/text/pull/3946",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextcloud/text/pull/3946"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32318",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-14T19:32:56.997199Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T19:33:06.343Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003e= 25.0.2, \u003c 25.0.6"
},
{
"status": "affected",
"version": "\u003e= 26.0.0, \u003c 26.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud server provides a home for data. A regression in the session handling between Nextcloud Server and the Nextcloud Text app prevented a correct destruction of the session on logout if cookies were not cleared manually. After successfully authenticating with any other account the previous session would be continued and the attacker would be authenticated as the previously logged in user. It is recommended that the Nextcloud Server is upgraded to 25.0.6 or 26.0.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-26T17:21:17.942Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q8c4-chpj-6v38",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q8c4-chpj-6v38"
},
{
"name": "https://github.com/nextcloud/text/pull/3946",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/text/pull/3946"
}
],
"source": {
"advisory": "GHSA-q8c4-chpj-6v38",
"discovery": "UNKNOWN"
},
"title": "User session not correctly destroyed on logout"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-32318",
"datePublished": "2023-05-26T17:21:17.942Z",
"dateReserved": "2023-05-08T13:26:03.879Z",
"dateUpdated": "2025-01-14T19:33:06.343Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-31140 (GCVE-0-2023-31140)
Vulnerability from cvelistv5 – Published: 2023-05-08 20:27 – Updated: 2025-01-29 14:55
VLAI
EPSS
VEX
Title
OpenProject user sessions not terminated after activation of 2FA
Summary
OpenProject is open source project management software. Starting with version 7.4.0 and prior to version 12.5.4, when a user registers and confirms their first two-factor authentication (2FA) device for an account, existing logged in sessions for that user account are not terminated. Likewise, if an administrators creates a mobile phone 2FA device on behalf of a user, their existing sessions are not terminated. The issue has been resolved in OpenProject version 12.5.4 by actively terminating sessions of user accounts having registered and confirmed a 2FA device. As a workaround, users who register the first 2FA device on their account can manually log out to terminate all other active sessions. This is the default behavior of OpenProject but might be disabled through a configuration option. Double check that this option is not overridden if one plans to employ the workaround.
Severity
4.8 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/opf/openproject/security/advis… | x_refsource_CONFIRM |
| https://github.com/opf/openproject/pull/12508 | x_refsource_MISC |
| https://community.openproject.org/wp/48035 | x_refsource_MISC |
| https://www.openproject.org/docs/release-notes/12-5-4/ | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| opf | openproject |
Affected:
>= 7.4.0, < 12.5.4
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:45:25.820Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/opf/openproject/security/advisories/GHSA-xfp9-qqfj-x28q",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-xfp9-qqfj-x28q"
},
{
"name": "https://github.com/opf/openproject/pull/12508",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/opf/openproject/pull/12508"
},
{
"name": "https://community.openproject.org/wp/48035",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://community.openproject.org/wp/48035"
},
{
"name": "https://www.openproject.org/docs/release-notes/12-5-4/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.openproject.org/docs/release-notes/12-5-4/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-31140",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-29T14:55:14.858296Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-29T14:55:24.204Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openproject",
"vendor": "opf",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.4.0, \u003c 12.5.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenProject is open source project management software. Starting with version 7.4.0 and prior to version 12.5.4, when a user registers and confirms their first two-factor authentication (2FA) device for an account, existing logged in sessions for that user account are not terminated. Likewise, if an administrators creates a mobile phone 2FA device on behalf of a user, their existing sessions are not terminated. The issue has been resolved in OpenProject version 12.5.4 by actively terminating sessions of user accounts having registered and confirmed a 2FA device. As a workaround, users who register the first 2FA device on their account can manually log out to terminate all other active sessions. This is the default behavior of OpenProject but might be disabled through a configuration option. Double check that this option is not overridden if one plans to employ the workaround."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-08T20:27:48.218Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/opf/openproject/security/advisories/GHSA-xfp9-qqfj-x28q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-xfp9-qqfj-x28q"
},
{
"name": "https://github.com/opf/openproject/pull/12508",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opf/openproject/pull/12508"
},
{
"name": "https://community.openproject.org/wp/48035",
"tags": [
"x_refsource_MISC"
],
"url": "https://community.openproject.org/wp/48035"
},
{
"name": "https://www.openproject.org/docs/release-notes/12-5-4/",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.openproject.org/docs/release-notes/12-5-4/"
}
],
"source": {
"advisory": "GHSA-xfp9-qqfj-x28q",
"discovery": "UNKNOWN"
},
"title": "OpenProject user sessions not terminated after activation of 2FA"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-31140",
"datePublished": "2023-05-08T20:27:48.218Z",
"dateReserved": "2023-04-24T21:44:10.417Z",
"dateUpdated": "2025-01-29T14:55:24.204Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-31139 (GCVE-0-2023-31139)
Vulnerability from cvelistv5 – Published: 2023-05-09 14:27 – Updated: 2025-01-28 17:02
VLAI
EPSS
VEX
Title
DHIS2 Core unrestricted session cookies with Personal Access Tokens
Summary
DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.37 branch and prior to versions 2.37.9.1, 2.38.3.1, and 2.39.1.2, Personal Access Tokens (PATs) generate unrestricted session cookies. This may lead to a bypass of other access restrictions (for example, based on allowed IP addresses or HTTP methods). DHIS2 implementers should upgrade to a supported version of DHIS2: 2.37.9.1, 2.38.3.1, or 2.39.1.2. Implementers can work around this issue by adding extra access control validations on a reverse proxy.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/dhis2/dhis2-core/security/advi… | x_refsource_CONFIRM |
| https://github.com/dhis2/dhis2-releases/blob/mast… | x_refsource_MISC |
| https://github.com/dhis2/dhis2-releases/blob/mast… | x_refsource_MISC |
| https://github.com/dhis2/dhis2-releases/blob/mast… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| dhis2 | dhis2-core |
Affected:
>= 2.37, < 2.37.9.1
Affected: >= 2.38, < 2.38.3.1 Affected: >= 2.39, < 2.39.1.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:45:25.703Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/dhis2/dhis2-core/security/advisories/GHSA-44g3-9mp4-prv3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/dhis2/dhis2-core/security/advisories/GHSA-44g3-9mp4-prv3"
},
{
"name": "https://github.com/dhis2/dhis2-releases/blob/master/releases/2.37/ReleaseNote-2.37.9.1.md",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/dhis2/dhis2-releases/blob/master/releases/2.37/ReleaseNote-2.37.9.1.md"
},
{
"name": "https://github.com/dhis2/dhis2-releases/blob/master/releases/2.38/ReleaseNote-2.38.3.1.md",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/dhis2/dhis2-releases/blob/master/releases/2.38/ReleaseNote-2.38.3.1.md"
},
{
"name": "https://github.com/dhis2/dhis2-releases/blob/master/releases/2.39/ReleaseNote-2.39.1.2.md",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/dhis2/dhis2-releases/blob/master/releases/2.39/ReleaseNote-2.39.1.2.md"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-31139",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-28T17:02:12.700403Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-28T17:02:24.727Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dhis2-core",
"vendor": "dhis2",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.37, \u003c 2.37.9.1"
},
{
"status": "affected",
"version": "\u003e= 2.38, \u003c 2.38.3.1"
},
{
"status": "affected",
"version": "\u003e= 2.39, \u003c 2.39.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.37 branch and prior to versions 2.37.9.1, 2.38.3.1, and 2.39.1.2, Personal Access Tokens (PATs) generate unrestricted session cookies. This may lead to a bypass of other access restrictions (for example, based on allowed IP addresses or HTTP methods). DHIS2 implementers should upgrade to a supported version of DHIS2: 2.37.9.1, 2.38.3.1, or 2.39.1.2. Implementers can work around this issue by adding extra access control validations on a reverse proxy."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-09T14:27:22.658Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dhis2/dhis2-core/security/advisories/GHSA-44g3-9mp4-prv3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dhis2/dhis2-core/security/advisories/GHSA-44g3-9mp4-prv3"
},
{
"name": "https://github.com/dhis2/dhis2-releases/blob/master/releases/2.37/ReleaseNote-2.37.9.1.md",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dhis2/dhis2-releases/blob/master/releases/2.37/ReleaseNote-2.37.9.1.md"
},
{
"name": "https://github.com/dhis2/dhis2-releases/blob/master/releases/2.38/ReleaseNote-2.38.3.1.md",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dhis2/dhis2-releases/blob/master/releases/2.38/ReleaseNote-2.38.3.1.md"
},
{
"name": "https://github.com/dhis2/dhis2-releases/blob/master/releases/2.39/ReleaseNote-2.39.1.2.md",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dhis2/dhis2-releases/blob/master/releases/2.39/ReleaseNote-2.39.1.2.md"
}
],
"source": {
"advisory": "GHSA-44g3-9mp4-prv3",
"discovery": "UNKNOWN"
},
"title": "DHIS2 Core unrestricted session cookies with Personal Access Tokens"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-31139",
"datePublished": "2023-05-09T14:27:22.658Z",
"dateReserved": "2023-04-24T21:44:10.417Z",
"dateUpdated": "2025-01-28T17:02:24.727Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Implementation
Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.