CWE-613
Allowed-with-ReviewInsufficient Session Expiration
Abstraction: Base · Status: Incomplete
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
876 vulnerabilities reference this CWE, most recent first.
GHSA-3CH3-JHC6-5R8X
Vulnerability from github – Published: 2023-11-15 14:48 – Updated: 2023-11-15 14:48Impact
The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp's HTTP session. This could lead to cookie exfiltration in some cases.
To pass extra control data between extractors (such as headers like `Referer`), yt-dlp employs a concept of "url smuggling". This works by adding this extra data as json to the url fragment ("smuggling") that is then passed on to an extractor. The receiving extractor then "unsmuggles" the data from the input url. This functionality is intended to be internal only. Currently, the Generic extractor supports receiving an arbitrary dictionary of HTTP headers in a smuggled url, of which it extracts and adds them to the initial request it makes to such url. This is useful when a url sent to the Generic extractor needs a `Referer` header sent with it, for example. Additionally, yt-dlp has internal headers to set a proxy for a request: `Ytdl-request-proxy` and `Ytdl-socks-proxy`. While these are deprecated, internally `Ytdl-request-proxy` is still used for `--geo-verification-proxy`. However, it is possible for a maliciously crafted site include these smuggled options in a url which then the Generic extractor extracts and redirects to itself. This allows a malicious website to **set an arbitrary proxy for an arbitrary url that the Generic extractor will request.** This could allow for the following, but not limited too: - An attacker can MITM a request it asks yt-dlp to make to **any** website. - If a user has loaded cookies into yt-dlp for the target site, which are not marked as [secure](https://en.wikipedia.org/wiki/Secure_cookie), they could be exfiltrated by the attacker. - Fortunately most sites are HTTPS and should be setting cookies as secure. - An attacker can set cookies for an arbitrary site. An example malicious webpage:<!DOCTYPE html>
<cinerama.embedPlayer('t','{{ target_site }}#__youtubedl_smuggle=%7B%22http_headers%22:%7B%22Ytdl-request-proxy%22:%22{{ proxy url }}%22%7D,%22fake%22:%22.smil/manifest%22%7D')
Where `{{ target_site }}` is the URL Generic extractor will request and `{{ proxy url }}` is the proxy to proxy the request for this url through.
Patches
- We have removed the ability to smuggle
http_headersto the Generic extractor, as well as other extractors that use the same pattern.
Workarounds
- Disable Generic extractor (
--ies default,-generic), or only pass trusted sites with trusted content. - Take caution when using
--no-check-certificate.
References
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "yt-dlp"
},
"ranges": [
{
"events": [
{
"introduced": "2022.10.04"
},
{
"fixed": "2023.11.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-46121"
],
"database_specific": {
"cwe_ids": [
"CWE-444",
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-15T14:48:24Z",
"nvd_published_at": "2023-11-15T00:15:09Z",
"severity": "MODERATE"
},
"details": "### Impact\nThe Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp\u0027s HTTP session. This could lead to cookie exfiltration in some cases.\n\n\u003cdetails\u003e\n\nTo pass extra control data between extractors (such as headers like `Referer`), yt-dlp employs a concept of \"url smuggling\". This works by adding this extra data as json to the url fragment (\"smuggling\") that is then passed on to an extractor. The receiving extractor then \"unsmuggles\" the data from the input url. This functionality is intended to be internal only.\n\nCurrently, the Generic extractor supports receiving an arbitrary dictionary of HTTP headers in a smuggled url, of which it extracts and adds them to the initial request it makes to such url. This is useful when a url sent to the Generic extractor needs a `Referer` header sent with it, for example.\n\nAdditionally, yt-dlp has internal headers to set a proxy for a request: `Ytdl-request-proxy` and `Ytdl-socks-proxy`. While these are deprecated, internally `Ytdl-request-proxy` is still used for `--geo-verification-proxy`.\n\nHowever, it is possible for a maliciously crafted site include these smuggled options in a url which then the Generic extractor extracts and redirects to itself. This allows a malicious website to **set an arbitrary proxy for an arbitrary url that the Generic extractor will request.**\n\nThis could allow for the following, but not limited too:\n- An attacker can MITM a request it asks yt-dlp to make to **any** website.\n - If a user has loaded cookies into yt-dlp for the target site, which are not marked as [secure](https://en.wikipedia.org/wiki/Secure_cookie), they could be exfiltrated by the attacker.\n - Fortunately most sites are HTTPS and should be setting cookies as secure.\n- An attacker can set cookies for an arbitrary site.\n\nAn example malicious webpage:\n```html\n\u003c!DOCTYPE html\u003e\n\u003ccinerama.embedPlayer(\u0027t\u0027,\u0027{{ target_site }}#__youtubedl_smuggle=%7B%22http_headers%22:%7B%22Ytdl-request-proxy%22:%22{{ proxy url }}%22%7D,%22fake%22:%22.smil/manifest%22%7D\u0027)\n```\n\nWhere `{{ target_site }}` is the URL Generic extractor will request and `{{ proxy url }}` is the proxy to proxy the request for this url through.\n\n\u003c/details\u003e\n\n### Patches\n- We have removed the ability to smuggle `http_headers` to the Generic extractor, as well as other extractors that use the same pattern.\n\n### Workarounds\n- Disable Generic extractor (`--ies default,-generic`), or only pass trusted sites with trusted content.\n- Take caution when using `--no-check-certificate`.\n\n### References\n- \u003chttps://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-3ch3-jhc6-5r8x\u003e\n- \u003chttps://nvd.nist.gov/vuln/detail/CVE-2023-46121\u003e\n- \u003chttps://github.com/yt-dlp/yt-dlp/releases/tag/2023.11.14\u003e\n- \u003chttps://github.com/yt-dlp/yt-dlp/commit/f04b5bedad7b281bee9814686bba1762bae092eb\u003e\n",
"id": "GHSA-3ch3-jhc6-5r8x",
"modified": "2023-11-15T14:48:24Z",
"published": "2023-11-15T14:48:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-3ch3-jhc6-5r8x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46121"
},
{
"type": "WEB",
"url": "https://github.com/yt-dlp/yt-dlp/commit/f04b5bedad7b281bee9814686bba1762bae092eb"
},
{
"type": "PACKAGE",
"url": "https://github.com/yt-dlp/yt-dlp"
},
{
"type": "WEB",
"url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.11.14"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "yt-dlp Generic Extractor MITM Vulnerability via Arbitrary Proxy Injection"
}
GHSA-3CRM-X896-J73P
Vulnerability from github – Published: 2026-02-18 15:31 – Updated: 2026-02-18 21:31Not properly invalidated session vulnerability in Graylog Web Interface, version 2.2.3, due to incorrect management of session invalidation after new logins. The application generates a new 'sessionId' each time a user authenticates, but does not invalidate previously issued session identifiers, which remain valid even after multiple consecutive logins by the same user. As a result, a stolen or leaked 'sessionId' can continue to be used to authenticate valid requests. Exploiting this vulnerability would allow an attacker with access to the web service/API network (port 9000 or HTTP/S endpoint of the server) to reuse an old session token to gain unauthorized access to the application, interact with the API/web, and compromise the integrity of the affected account.
{
"affected": [],
"aliases": [
"CVE-2026-1435"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-18T14:16:05Z",
"severity": "CRITICAL"
},
"details": "Not properly invalidated session vulnerability in Graylog Web Interface, version 2.2.3, due to incorrect management of session invalidation after new logins. The application generates a new \u0027sessionId\u0027 each time a user authenticates, but does not invalidate previously issued session identifiers, which remain valid even after multiple consecutive logins by the same user. As a result, a stolen or leaked \u0027sessionId\u0027 can continue to be used to authenticate valid requests. Exploiting this vulnerability would allow an attacker with access to the web service/API network (port 9000 or HTTP/S endpoint of the server) to reuse an old session token to gain unauthorized access to the application, interact with the API/web, and compromise the integrity of the affected account.",
"id": "GHSA-3crm-x896-j73p",
"modified": "2026-02-18T21:31:22Z",
"published": "2026-02-18T15:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1435"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-graylog"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-3F8R-X482-8QPG
Vulnerability from github – Published: 2024-02-10 00:31 – Updated: 2025-06-03 21:30Sametime is impacted by a failure to invalidate sessions. The application is setting sensitive cookie values in a persistent manner in Sametime Web clients. When this happens, cookie values can remain valid even after a user has closed out their session.
{
"affected": [],
"aliases": [
"CVE-2023-45718"
],
"database_specific": {
"cwe_ids": [
"CWE-384",
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-09T22:15:08Z",
"severity": "LOW"
},
"details": "Sametime is impacted by a failure to invalidate sessions. The application is setting sensitive cookie values in a persistent manner in Sametime Web clients. When this happens, cookie values can remain valid even after a user has closed out their session. \u00a0",
"id": "GHSA-3f8r-x482-8qpg",
"modified": "2025-06-03T21:30:34Z",
"published": "2024-02-10T00:31:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45718"
},
{
"type": "WEB",
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0109082"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3FQM-FRHG-7C85
Vulnerability from github – Published: 2023-07-06 20:47 – Updated: 2023-08-31 18:30Summary
In a multi-node Graylog cluster, after a user has explicitly logged out, a user session may still be used for API requests until it has reached its original expiry time.
Details
Each node maintains an in-memory cache of user sessions. Upon a cache-miss, the session is loaded from the database. After that, the node operates solely on the cached session. Modifications to sessions will update the cached version as well as the session persisted in the database. However, each node maintains their isolated version of the session.
When the user logs out, the session is removed from the node-local cache and deleted from the database. The other nodes will however still use the cached session.
These nodes will only fail to accept the session id if they intent to update the session in the database. They will then notice that the session is gone. This is true for most API requests originating from user interaction with the Graylog UI because these will lead to an update of the session's "last access" timestamp.
If the session update is however prevented by setting the X-Graylog-No-Session-Extension:true header in the request, the node will consider the (cached) session valid until the session is expired according to its timeout setting.
PoC
In a 2-node setup, with both nodes behind a load balancer:
- Log in
- Extract the session ID from the cookie
- Log out and close the browser
- Perform the following API request repeatedly with curl (with
<session-id>replaced with the session id from step 2 and<lb-host>replaced with the hostname of your load balancer):curl -I -H X-Graylog-No-Session-Extension:true https://<session-id>:session@<lb-host>/api/system/cluster/nodes - Notice that the request is sometimes rejected, but sometimes succeeds
Impact
No session identifiers are leaked.
After a user has logged out, the UI shows the login screen again, which gives the user the impression that their session is not valid anymore. However, if the session becomes compromised later, it can still be used to perform API requests against the Graylog cluster. The time frame for this is limited to the configured session lifetime, starting from the time when the user logged out.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.graylog2:graylog2-server"
},
"ranges": [
{
"events": [
{
"introduced": "1.0"
},
{
"fixed": "5.0.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.graylog2:graylog2-server"
},
"ranges": [
{
"events": [
{
"introduced": "5.1.0"
},
{
"fixed": "5.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-41041"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-06T20:47:54Z",
"nvd_published_at": "2023-08-30T22:15:10Z",
"severity": "LOW"
},
"details": "### Summary\n\nIn a multi-node Graylog cluster, after a user has explicitly logged out, a user session may still be used for API requests until it has reached its original expiry time.\n\n### Details\n\nEach node maintains an in-memory cache of user sessions. Upon a cache-miss, the session is loaded from the database. After that, the node operates solely on the cached session. Modifications to sessions will update the cached version as well as the session persisted in the database. However, each node maintains their isolated version of the session.\n\nWhen the user logs out, the session is removed from the node-local cache and deleted from the database. The other nodes will however still use the cached session.\n\nThese nodes will only fail to accept the session id if they intent to update the session in the database. They will then notice that the session is gone. This is true for most API requests originating from user interaction with the Graylog UI because these will lead to an update of the session\u0027s \"last access\" timestamp.\n\nIf the session update is however prevented by setting the `X-Graylog-No-Session-Extension:true` header in the request, the node will consider the (cached) session valid until the session is expired according to its timeout setting.\n\n### PoC\nIn a 2-node setup, with both nodes behind a load balancer:\n\n1. Log in\n1. Extract the session ID from the cookie\n1. Log out and close the browser\n1. Perform the following API request repeatedly with curl (with `\u003csession-id\u003e` replaced with the session id from step 2 and `\u003clb-host\u003e` replaced with the hostname of your load balancer):\n ```\n curl -I -H X-Graylog-No-Session-Extension:true https://\u003csession-id\u003e:session@\u003clb-host\u003e/api/system/cluster/nodes\n ```\n1. Notice that the request is sometimes rejected, but sometimes succeeds\n\n\n### Impact\n\nNo session identifiers are leaked.\n\nAfter a user has logged out, the UI shows the login screen again, which gives the user the impression that their session is not valid anymore. However, if the session becomes compromised later, it can still be used to perform API requests against the Graylog cluster. The time frame for this is limited to the configured session lifetime, starting from the time when the user logged out.\n\n\n",
"id": "GHSA-3fqm-frhg-7c85",
"modified": "2023-08-31T18:30:20Z",
"published": "2023-07-06T20:47:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-3fqm-frhg-7c85"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41041"
},
{
"type": "WEB",
"url": "https://github.com/Graylog2/graylog2-server/commit/bb88f3d0b2b0351669ab32c60b595ab7242a3fe3"
},
{
"type": "WEB",
"url": "https://github.com/Graylog2/graylog2-server/commit/ff90f3e2aa4ae2e0bb613d3236e52c40aa154b20"
},
{
"type": "PACKAGE",
"url": "https://github.com/Graylog2/graylog2-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Graylog user session is still usable after logout"
}
GHSA-3G4X-5GH5-43G8
Vulnerability from github – Published: 2025-04-25 00:32 – Updated: 2025-04-25 00:32ALBEDO Telecom Net.Time - PTP/NTP clock (Serial No. NBC0081P) software release 1.4.4 is vulnerable to an insufficient session expiration vulnerability, which could permit an attacker to transmit passwords over unencrypted connections, resulting in the product becoming vulnerable to interception.
{
"affected": [],
"aliases": [
"CVE-2025-2185"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-25T00:15:15Z",
"severity": "HIGH"
},
"details": "ALBEDO Telecom Net.Time - PTP/NTP clock (Serial No. NBC0081P) software release 1.4.4 is vulnerable to an insufficient session expiration vulnerability, which\n could permit an attacker to transmit passwords over unencrypted \nconnections, resulting in the product becoming vulnerable to \ninterception.",
"id": "GHSA-3g4x-5gh5-43g8",
"modified": "2025-04-25T00:32:02Z",
"published": "2025-04-25T00:32:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2185"
},
{
"type": "WEB",
"url": "https://www.albedotelecom.com/contactus.php"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-114-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-3GV2-29QC-V67M
Vulnerability from github – Published: 2023-02-01 18:48 – Updated: 2025-02-13 18:36Description
When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation.
Resolution
Symfony removes all CSRF tokens from the session on successful login.
The patch for this issue is available here for branch 4.4.
Credits
We would like to thank Marco Squarcina for reporting the issue and Nicolas Grekas for fixing it.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/security-bundle"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "4.4.50"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/security-bundle"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.4.20"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/security-bundle"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.0.20"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/security-bundle"
},
"ranges": [
{
"events": [
{
"introduced": "6.1.0"
},
{
"fixed": "6.1.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/security-bundle"
},
"ranges": [
{
"events": [
{
"introduced": "6.2.0"
},
{
"fixed": "6.2.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "4.4.50"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.4.20"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.0.20"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "6.1.0"
},
{
"fixed": "6.1.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "6.2.0"
},
{
"fixed": "6.2.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-24895"
],
"database_specific": {
"cwe_ids": [
"CWE-384",
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-01T18:48:06Z",
"nvd_published_at": "2023-02-03T22:15:00Z",
"severity": "MODERATE"
},
"details": "Description\n-----------\n\nWhen authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables [same-site attackers](https://canitakeyoursubdomain.name/) to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation.\n\nResolution\n----------\n\nSymfony removes all CSRF tokens from the session on successful login.\n\nThe patch for this issue is available [here](https://github.com/symfony/symfony/commit/5909d74ecee359ea4982fcf4331aaf2e489a1fd4) for branch 4.4.\n\nCredits\n-------\n\nWe would like to thank Marco Squarcina for reporting the issue and Nicolas Grekas for fixing it.",
"id": "GHSA-3gv2-29qc-v67m",
"modified": "2025-02-13T18:36:42Z",
"published": "2023-02-01T18:48:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-3gv2-29qc-v67m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24895"
},
{
"type": "WEB",
"url": "https://github.com/symfony/security-bundle/commit/076fd2088ada33d760758d98ff07ddedbf567946"
},
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/commit/5909d74ecee359ea4982fcf4331aaf2e489a1fd4"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-bundle/CVE-2022-24895.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2022-24895.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/symfony/symfony"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00014.html"
},
{
"type": "WEB",
"url": "https://symfony.com/cve-2022-24895"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Symfony vulnerable to Session Fixation of CSRF tokens"
}
GHSA-3J66-8RRV-5M2G
Vulnerability from github – Published: 2022-05-17 02:49 – Updated: 2022-05-17 02:49Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 use guessable session tokens, which are in the URL.
{
"affected": [],
"aliases": [
"CVE-2016-5069"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-10T03:59:00Z",
"severity": "CRITICAL"
},
"details": "Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 use guessable session tokens, which are in the URL.",
"id": "GHSA-3j66-8rrv-5m2g",
"modified": "2022-05-17T02:49:57Z",
"published": "2022-05-17T02:49:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5069"
},
{
"type": "WEB",
"url": "https://carvesystems.com/sierra-wireless-2016-advisory.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3JFF-V2MX-4RWR
Vulnerability from github – Published: 2023-06-26 21:30 – Updated: 2024-04-04 05:10An issue in Ateme Flamingo XL v.3.6.20 and XS v.3.6.5 allows a remote authenticated attacker to execute arbitrary code and cause a denial of service via a the session expiration function.
{
"affected": [],
"aliases": [
"CVE-2023-36252"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-26T19:15:09Z",
"severity": "HIGH"
},
"details": "An issue in Ateme Flamingo XL v.3.6.20 and XS v.3.6.5 allows a remote authenticated attacker to execute arbitrary code and cause a denial of service via a the session expiration function.",
"id": "GHSA-3jff-v2mx-4rwr",
"modified": "2024-04-04T05:10:40Z",
"published": "2023-06-26T21:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36252"
},
{
"type": "WEB",
"url": "https://www.zeroscience.mk/en/vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3Q8R-F3PJ-3GC4
Vulnerability from github – Published: 2022-10-07 18:16 – Updated: 2024-09-11 18:26In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "apache-airflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.1rc1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-41672"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2022-10-07T21:57:35Z",
"nvd_published_at": "2022-10-07T07:15:00Z",
"severity": "HIGH"
},
"details": "In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn\u0027t prevent an already authenticated user from being able to continue using the UI or API.",
"id": "GHSA-3q8r-f3pj-3gc4",
"modified": "2024-09-11T18:26:16Z",
"published": "2022-10-07T18:16:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41672"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/26635"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/commit/12bfb571a895a28a58d3189b0fc10cfc1b89e24c"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/airflow"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-42983.yaml"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/ohf3pvd3dftb8zb01yngbn1jtkq5m08y"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Apache Airflow may allow authenticated users who have been deactivated to continue using the UI or API"
}
GHSA-3VR5-764G-C3PW
Vulnerability from github – Published: 2025-06-10 18:32 – Updated: 2026-06-09 12:31An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL-VPN version 7.6.0, version 7.4.6 and below, version 7.2.10 and below, 7.0 all versions, 6.4 all versions may allow an attacker in possession of a cookie used to log in the SSL-VPN portal to log in again, although the session has expired or was logged out.
{
"affected": [],
"aliases": [
"CVE-2024-50562"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-10T17:19:25Z",
"severity": "MODERATE"
},
"details": "An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL-VPN version 7.6.0, version 7.4.6 and below, version 7.2.10 and below, 7.0 all versions, 6.4 all versions may allow an attacker in possession of a cookie used to log in the SSL-VPN portal to log in again, although the session has expired or was logged out.",
"id": "GHSA-3vr5-764g-c3pw",
"modified": "2026-06-09T12:31:58Z",
"published": "2025-06-10T18:32:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50562"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-864900.html"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-339"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.