CWE-613
Allowed-with-ReviewInsufficient Session Expiration
Abstraction: Base · Status: Incomplete
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
876 vulnerabilities reference this CWE, most recent first.
GHSA-4647-M5CG-QGFR
Vulnerability from github – Published: 2026-01-20 18:31 – Updated: 2026-01-20 18:31IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 does not invalidate session after a logout which could allow an authenticated user to impersonate another user on the system.
{
"affected": [],
"aliases": [
"CVE-2025-36063"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-20T16:16:03Z",
"severity": "MODERATE"
},
"details": "IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 does not invalidate session after a logout which could allow an authenticated user to impersonate another user on the system.",
"id": "GHSA-4647-m5cg-qgfr",
"modified": "2026-01-20T18:31:57Z",
"published": "2026-01-20T18:31:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36063"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7257244"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-465W-GG5P-85C9
Vulnerability from github – Published: 2021-05-18 21:09 – Updated: 2021-05-18 20:45An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/kiali/kiali"
},
"ranges": [
{
"events": [
{
"introduced": "0.4.0"
},
{
"fixed": "1.15.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-1762"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-384",
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-18T20:45:55Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration.",
"id": "GHSA-465w-gg5p-85c9",
"modified": "2021-05-18T20:45:55Z",
"published": "2021-05-18T21:09:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1762"
},
{
"type": "WEB",
"url": "https://github.com/kiali/kiali/commit/93f5cd0b6698e8fe8772afb8f35816f6c086aef1"
},
{
"type": "WEB",
"url": "https://github.com/kiali/kiali/commit/c91a0949683976f621cca213c1193831d63b381c"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1810387"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1762"
},
{
"type": "WEB",
"url": "https://kiali.io/news/security-bulletins/kiali-security-001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "Insufficient Session Expiration in Kiali"
}
GHSA-4688-8PMG-JW5W
Vulnerability from github – Published: 2025-02-11 12:30 – Updated: 2025-02-11 12:30A vulnerability has been identified in SIMATIC PCS neo V4.0 (All versions), SIMATIC PCS neo V4.1 (All versions < V4.1 Update 2), SIMATIC PCS neo V5.0 (All versions < V5.0 Update 1), SIMOCODE ES V19 (All versions < V19 Update 1), SIRIUS Safety ES V19 (TIA Portal) (All versions < V19 Update 1), SIRIUS Soft Starter ES V19 (TIA Portal) (All versions < V19 Update 1), TIA Administrator (All versions < V3.0.4). Affected products do not correctly invalidate user sessions upon user logout. This could allow a remote unauthenticated attacker, who has obtained the session token by other means, to re-use a legitimate user's session even after logout.
{
"affected": [],
"aliases": [
"CVE-2024-45386"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-11T11:15:13Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in SIMATIC PCS neo V4.0 (All versions), SIMATIC PCS neo V4.1 (All versions \u003c V4.1 Update 2), SIMATIC PCS neo V5.0 (All versions \u003c V5.0 Update 1), SIMOCODE ES V19 (All versions \u003c V19 Update 1), SIRIUS Safety ES V19 (TIA Portal) (All versions \u003c V19 Update 1), SIRIUS Soft Starter ES V19 (TIA Portal) (All versions \u003c V19 Update 1), TIA Administrator (All versions \u003c V3.0.4). Affected products do not correctly invalidate user sessions upon user logout. This could allow a remote unauthenticated attacker, who has obtained the session token by other means, to re-use a legitimate user\u0027s session even after logout.",
"id": "GHSA-4688-8pmg-jw5w",
"modified": "2025-02-11T12:30:54Z",
"published": "2025-02-11T12:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45386"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-342348.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-46MJ-7XPV-PPRW
Vulnerability from github – Published: 2024-04-12 18:33 – Updated: 2024-04-12 18:33IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.20, 7.1 through 7.1.2.16, 7.2 through 7.2.3.9, 7.3 through 7.3.2.4 and IBM DevOps Deploy 8.0 through 8.0.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 280896.
{
"affected": [],
"aliases": [
"CVE-2024-22358"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-12T17:17:22Z",
"severity": "MODERATE"
},
"details": "IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.20, 7.1 through 7.1.2.16, 7.2 through 7.2.3.9, 7.3 through 7.3.2.4 and IBM DevOps Deploy 8.0 through 8.0.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 280896.",
"id": "GHSA-46mj-7xpv-pprw",
"modified": "2024-04-12T18:33:27Z",
"published": "2024-04-12T18:33:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22358"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/280896"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7148109"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-48RG-3G52-267G
Vulnerability from github – Published: 2026-07-14 21:32 – Updated: 2026-07-14 21:32ColdFusion is affected by an Insufficient Session Expiration vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction.
{
"affected": [],
"aliases": [
"CVE-2026-48329"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T21:16:59Z",
"severity": "LOW"
},
"details": "ColdFusion is affected by an Insufficient Session Expiration vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction.",
"id": "GHSA-48rg-3g52-267g",
"modified": "2026-07-14T21:32:23Z",
"published": "2026-07-14T21:32:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48329"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/coldfusion/apsb26-82.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4957-H36G-34J9
Vulnerability from github – Published: 2026-07-05 09:30 – Updated: 2026-07-05 09:30A vulnerability was identified in SourceCodester Online Boat Reservation System 1.0. Affected by this vulnerability is an unknown functionality. Such manipulation leads to session expiration. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
{
"affected": [],
"aliases": [
"CVE-2026-14725"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-05T08:16:27Z",
"severity": "LOW"
},
"details": "A vulnerability was identified in SourceCodester Online Boat Reservation System 1.0. Affected by this vulnerability is an unknown functionality. Such manipulation leads to session expiration. It is possible to launch the attack remotely. The exploit is publicly available and might be used.",
"id": "GHSA-4957-h36g-34j9",
"modified": "2026-07-05T09:30:24Z",
"published": "2026-07-05T09:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14725"
},
{
"type": "WEB",
"url": "https://medium.com/@hemantrajbhati5555/improper-session-invalidation-in-online-boat-reservation-system-using-php-acebd53a8ae7"
},
{
"type": "WEB",
"url": "https://vuldb.com/cve/CVE-2026-14725"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/847674"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/376311"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/376311/cti"
},
{
"type": "WEB",
"url": "https://www.sourcecodester.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-4CX2-827F-FP6C
Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33Immuta v2.8.2 is affected by improper session management: user sessions are not revoked upon logout.
{
"affected": [],
"aliases": [
"CVE-2020-15950"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-05T15:15:00Z",
"severity": "HIGH"
},
"details": "Immuta v2.8.2 is affected by improper session management: user sessions are not revoked upon logout.",
"id": "GHSA-4cx2-827f-fp6c",
"modified": "2022-05-24T17:33:12Z",
"published": "2022-05-24T17:33:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15950"
},
{
"type": "WEB",
"url": "https://labs.bishopfox.com/advisories"
},
{
"type": "WEB",
"url": "https://labs.bishopfox.com/advisories/immuta-version-2.8.2"
},
{
"type": "WEB",
"url": "https://www.immuta.com"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-4CX3-3C38-J9VV
Vulnerability from github – Published: 2026-05-07 02:13 – Updated: 2026-05-29 21:45Impact
Admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the cookie expired or session secrets were rotated.
This affects applications using Koi admin authentication where an admin session cookie may have been exposed, cached, intercepted, or otherwise retained after logout.
Patches
The issue has been patched by recording admin logout time and rejecting any admin session cookie created before the user’s most recent logout.
Users should upgrade to the patched Koi releases once available.
Workarounds
Katalyst Koi recommends upgrading to the latest available version, or back porting the changes released in 5.6.0/4.20.0
Resources
This is an application of https://guides.rubyonrails.org/v5.2.0/security.html#replay-attacks-for-cookiestore-sessions
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "katalyst-koi"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.20.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "katalyst-koi"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44511"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-07T02:13:42Z",
"nvd_published_at": "2026-05-14T17:16:22Z",
"severity": "HIGH"
},
"details": "### Impact\n\nAdmin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the cookie expired or session secrets were rotated.\n\nThis affects applications using Koi admin authentication where an admin session cookie may have been exposed, cached, intercepted, or otherwise retained after logout.\n\n### Patches\n\nThe issue has been patched by recording admin logout time and rejecting any admin session cookie created before the user\u2019s most recent logout.\n\nUsers should upgrade to the patched Koi releases once available.\n\n### Workarounds\n\nKatalyst Koi recommends upgrading to the latest available version, or back porting the changes released in 5.6.0/4.20.0\n\n### Resources\n\nThis is an application of https://guides.rubyonrails.org/v5.2.0/security.html#replay-attacks-for-cookiestore-sessions",
"id": "GHSA-4cx3-3c38-j9vv",
"modified": "2026-05-29T21:45:23Z",
"published": "2026-05-07T02:13:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/katalyst/koi/security/advisories/GHSA-4cx3-3c38-j9vv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44511"
},
{
"type": "PACKAGE",
"url": "https://github.com/katalyst/koi"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/katalyst-koi/CVE-2026-44511.yml"
},
{
"type": "WEB",
"url": "https://guides.rubyonrails.org/v5.2.0/security.html#replay-attacks-for-cookiestore-sessions"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "katalyst-koi: Session cookies can be replayed after user logout"
}
GHSA-4G47-3FX3-5Q52
Vulnerability from github – Published: 2022-05-24 17:35 – Updated: 2022-05-24 17:35In Lan ATMService M3 ATM Monitoring System 6.1.0, a remote attacker able to use a default cookie value, such as PHPSESSID=LANIT-IMANAGER, can achieve control over the system because of Insufficient Session Expiration.
{
"affected": [],
"aliases": [
"CVE-2020-29667"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-10T09:15:00Z",
"severity": "CRITICAL"
},
"details": "In Lan ATMService M3 ATM Monitoring System 6.1.0, a remote attacker able to use a default cookie value, such as PHPSESSID=LANIT-IMANAGER, can achieve control over the system because of Insufficient Session Expiration.",
"id": "GHSA-4g47-3fx3-5q52",
"modified": "2022-05-24T17:35:58Z",
"published": "2022-05-24T17:35:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29667"
},
{
"type": "WEB",
"url": "https://github.com/jet-pentest/CVE-2020-29667"
},
{
"type": "WEB",
"url": "http://lanatmservice.ru"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-4GQG-M5MW-G8MG
Vulnerability from github – Published: 2022-05-24 16:56 – Updated: 2024-04-04 01:59Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.
{
"affected": [],
"aliases": [
"CVE-2018-21018"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-22T15:15:00Z",
"severity": "CRITICAL"
},
"details": "Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.",
"id": "GHSA-4gqg-m5mw-g8mg",
"modified": "2024-04-04T01:59:08Z",
"published": "2022-05-24T16:56:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-21018"
},
{
"type": "WEB",
"url": "https://github.com/tootsuite/mastodon/pull/9329"
},
{
"type": "WEB",
"url": "https://github.com/tootsuite/mastodon/pull/9381"
},
{
"type": "WEB",
"url": "https://github.com/tootsuite/mastodon/releases/tag/v2.6.2"
},
{
"type": "WEB",
"url": "https://github.com/tootsuite/mastodon/releases/tag/v2.6.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.