CWE-613
Allowed-with-ReviewInsufficient Session Expiration
Abstraction: Base · Status: Incomplete
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
876 vulnerabilities reference this CWE, most recent first.
GHSA-4M8G-QFMV-JCQG
Vulnerability from github – Published: 2023-01-05 18:30 – Updated: 2023-01-12 03:30IBM Robotic Process Automation for Cloud Pak 20.12 through 21.0.3 is vulnerable to broken access control. A user is not correctly redirected to the platform log out screen when logging out of IBM RPA for Cloud Pak. IBM X-Force ID: 239081.
{
"affected": [],
"aliases": [
"CVE-2022-43844"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-05T18:15:00Z",
"severity": "HIGH"
},
"details": "IBM Robotic Process Automation for Cloud Pak 20.12 through 21.0.3 is vulnerable to broken access control. A user is not correctly redirected to the platform log out screen when logging out of IBM RPA for Cloud Pak. IBM X-Force ID: 239081.",
"id": "GHSA-4m8g-qfmv-jcqg",
"modified": "2023-01-12T03:30:15Z",
"published": "2023-01-05T18:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43844"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/239081"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6852663"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4R8W-3JWW-M2RP
Vulnerability from github – Published: 2025-10-16 12:30 – Updated: 2025-10-22 19:36Strapi uses JSON Web Tokens (JWT) for authentication. After logout or account deactivation, the JWT is not invalidated, which allows an attacker who has stolen or intercepted the token to freely reuse it until its expiration date (which is set to 30 days by default, but can be changed). The existence of /admin/renew-token endpoint allows anyone to renew near-expiration tokens indefinitely, further increasing the impact of this attack. This issue has been fixed in version 5.24.1.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@strapi/strapi"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.24.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-3930"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-16T21:21:44Z",
"nvd_published_at": "2025-10-16T11:15:29Z",
"severity": "MODERATE"
},
"details": "Strapi uses JSON Web Tokens (JWT) for authentication. After logout or account deactivation, the JWT is not invalidated, which allows an attacker who has stolen or intercepted the token to freely reuse it until its expiration date (which is set to 30 days by default, but can be changed). The existence of /admin/renew-token\u00a0endpoint allows anyone to renew near-expiration tokens indefinitely, further increasing the impact of this attack. This issue has been fixed in version 5.24.1.",
"id": "GHSA-4r8w-3jww-m2rp",
"modified": "2025-10-22T19:36:22Z",
"published": "2025-10-16T12:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3930"
},
{
"type": "WEB",
"url": "https://cert.pl/en/posts/2025/06/CVE-2025-3930"
},
{
"type": "PACKAGE",
"url": "https://github.com/strapi/strapi"
},
{
"type": "WEB",
"url": "https://strapi.io"
},
{
"type": "WEB",
"url": "https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve-October-2025"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Strapi is vulnerable to Insufficient Session Expiration"
}
GHSA-4RP7-5W2X-WWVH
Vulnerability from github – Published: 2026-04-02 00:31 – Updated: 2026-04-02 00:31IBM Aspera Shares 1.9.9 through 1.11.0 does not invalidate session after a password reset which could allow an authenticated user to impersonate another user on the system.
{
"affected": [],
"aliases": [
"CVE-2025-66483"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-01T23:17:01Z",
"severity": "MODERATE"
},
"details": "IBM Aspera Shares 1.9.9 through 1.11.0 does not invalidate session after a password reset which could allow an authenticated user to impersonate another user on the system.",
"id": "GHSA-4rp7-5w2x-wwvh",
"modified": "2026-04-02T00:31:04Z",
"published": "2026-04-02T00:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66483"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7267848"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-4VXV-4XQ4-P84H
Vulnerability from github – Published: 2026-04-01 22:08 – Updated: 2026-04-06 17:15Summary
Vulnerability: Improper Session Invalidation on Account Deletion (Broken Access Control / Logic Flaw)
- This vulnerability is caused by a backend logic flaw that maintains a false trust assumption that already-authenticated users remain trustworthy, even after their accounts are explicitly deleted. As a result, administrative security actions do not behave as intended, allowing persistent unauthorized access.
Description
The application fails to immediately revoke active user sessions when an account is deleted. Due to a logic flaw in the backend design, account state changes are enforced only during authentication (login), not for already-established sessions.
The system implicitly assumes that authenticated users remain trusted for the lifetime of their session. There is no session expiration or account expiration mechanism in place, causing deleted accounts to retain indefinite access until the user manually logs out. This behavior breaks the intended access control policy and results in persistent unauthorized access, representing a critical security flaw.
Affected Functionality
- User session management and authentication logic
- Account deletion mechanism
- All authenticated endpoints, including administrative and content interfaces
Attack Scenario
- A user logs into the application.
- An administrator deletes the user account.
- The user remains fully logged in and can continue performing all actions allowed by their role indefinitely, as there is no session expiration.
- The user can continue invoking backend methods, triggering application actions, accessing sensitive interfaces (including user management if permitted), and interacting with the system as if the account were still active.
- Access is only lost if the user manually logs out, which may never occur.
Impact
- Unauthorized Continued Access: Deleted users retain full access indefinitely, violating intended access control and expected security behavior.
- Bypass of Administrative Controls: Administrative actions (deletion) fail to immediately restrict active sessions.
- Logic Flaw Resulting in Broken Behavior: Backend authorization logic relies on a flawed trust assumption that authenticated users remain valid, enforcing account state only at login.
- Full Functional Access Retained: Deleted users can continue invoking application methods, executing actions, interacting with protected endpoints, and using the system exactly as before deletion.
- Privilege Abuse: Users with elevated roles (moderator, editor, administrator) can continue performing privileged actions after account deletion, including accessing user management interfaces and modifying application state.
- Service Disruption Potential: Persistent access allows attackers to disrupt services, manipulate content, or interfere with normal application operations.
- Attack Persistence: Attackers can maintain access indefinitely, increasing the risk of data exfiltration, unauthorized modifications, or further privilege escalation.
- False Sense of Remediation: Administrators may believe a threat has been mitigated while the deleted user remains active within the system.
Endpoint Example: Any endpoint accessible to authenticated users, including dashboards, administrative interfaces, user management pages, and API endpoints.
Steps To Reproduce (PoC)
- Create or use an existing user account.
- Log into the application using this account.
- From an administrative account, delete the logged-in user account.
- Observe that the target user remains authenticated.
- Verify that the user can still access protected functionality, invoke actions, and interact with the application as before.
- Confirm that the user only loses access after manually logging out (if they choose to do so).
Remediation
- Immediately invalidate all active sessions when an account is deleted.
- Enforce account status checks on every authenticated request, not only during login.
- Introduce proper session expiration or account expiration mechanisms to prevent indefinite access.
- Correct the backend logic flaw to ensure access control behavior aligns with intended security design and does not rely on unsafe trust assumptions.
Ready Video POC:
https://mega.nz/file/7dlUTQAB#0oXOapF5XYN4DRRG1xYj6DajmuP72MpMdsHqbVBMmWw
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.28.6.0"
},
"package": {
"ecosystem": "Packagist",
"name": "ci4-cms-erp/ci4ms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.31.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34570"
],
"database_specific": {
"cwe_ids": [
"CWE-1254",
"CWE-284",
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-01T22:08:29Z",
"nvd_published_at": "2026-04-01T22:16:20Z",
"severity": "HIGH"
},
"details": "## Summary\n### Vulnerability: Improper Session Invalidation on Account Deletion (Broken Access Control / Logic Flaw)\n- This vulnerability is caused by a backend logic flaw that maintains a false trust assumption that already-authenticated users remain trustworthy, even after their accounts are explicitly deleted. As a result, administrative security actions do not behave as intended, allowing persistent unauthorized access.\n\n### Description\nThe application fails to immediately revoke active user sessions when an account is **deleted**. Due to a logic flaw in the backend design, account state changes are enforced only during authentication (login), not for already-established sessions.\n\nThe system implicitly assumes that authenticated users remain trusted for the lifetime of their session. There is no session expiration or account expiration mechanism in place, causing deleted accounts to retain indefinite access until the user manually logs out. This behavior breaks the intended access control policy and results in persistent unauthorized access, representing a critical security flaw.\n\n### Affected Functionality\n- User session management and authentication logic\n- Account **deletion** mechanism\n- All authenticated endpoints, including administrative and content interfaces\n\n### Attack Scenario\n- A user logs into the application.\n- An administrator **deletes** the user account.\n- The user remains fully logged in and can continue performing all actions allowed by their role indefinitely, as there is no session expiration.\n- The user can continue invoking backend methods, triggering application actions, accessing sensitive interfaces (including user management if permitted), and interacting with the system as if the account were still active.\n- Access is only lost if the user manually logs out, which may never occur.\n\n### Impact\n- **Unauthorized Continued Access:** Deleted users retain full access indefinitely, violating intended access control and expected security behavior.\n- **Bypass of Administrative Controls:** Administrative actions (**deletion**) fail to immediately restrict active sessions.\n- **Logic Flaw Resulting in Broken Behavior:** Backend authorization logic relies on a flawed trust assumption that authenticated users remain valid, enforcing account state only at login.\n- **Full Functional Access Retained:** Deleted users can continue invoking application methods, executing actions, interacting with protected endpoints, and using the system exactly as before deletion.\n- **Privilege Abuse:** Users with elevated roles (moderator, editor, administrator) can continue performing privileged actions after account deletion, including accessing user management interfaces and modifying application state.\n- **Service Disruption Potential:** Persistent access allows attackers to disrupt services, manipulate content, or interfere with normal application operations.\n- **Attack Persistence:** Attackers can maintain access indefinitely, increasing the risk of data exfiltration, unauthorized modifications, or further privilege escalation.\n- **False Sense of Remediation:** Administrators may believe a threat has been mitigated while the deleted user remains active within the system.\n\n**Endpoint Example:** Any endpoint accessible to authenticated users, including dashboards, administrative interfaces, user management pages, and API endpoints.\n\n## Steps To Reproduce (PoC)\n1. Create or use an existing user account.\n2. Log into the application using this account.\n3. From an administrative account, **delete** the logged-in user account.\n4. Observe that the target user remains authenticated.\n5. Verify that the user can still access protected functionality, invoke actions, and interact with the application as before.\n6. Confirm that the user only loses access after manually logging out (if they choose to do so).\n\n## Remediation\n- Immediately invalidate all active sessions when an account is **deleted**.\n- Enforce account status checks on every authenticated request, not only during login.\n- Introduce proper session expiration or account expiration mechanisms to prevent indefinite access.\n- Correct the backend logic flaw to ensure access control behavior aligns with intended security design and does not rely on unsafe trust assumptions.\n\n# Ready Video POC:\nhttps://mega.nz/file/7dlUTQAB#0oXOapF5XYN4DRRG1xYj6DajmuP72MpMdsHqbVBMmWw",
"id": "GHSA-4vxv-4xq4-p84h",
"modified": "2026-04-06T17:15:26Z",
"published": "2026-04-01T22:08:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-4vxv-4xq4-p84h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34570"
},
{
"type": "PACKAGE",
"url": "https://github.com/ci4-cms-erp/ci4ms"
},
{
"type": "WEB",
"url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "CI4MS: Account Deletion Module Grants Full Persistent Unauthorized Access for All\u2011Roles via Improper Session Invalidation (Logic Flaw)"
}
GHSA-4W59-C3GC-RRHP
Vulnerability from github – Published: 2023-02-28 23:20 – Updated: 2024-11-18 23:10From issue:
Problem description Currently, the refresh token is valid indefinitely. This is bad security practice.
Desired solution The refresh token should get a validity of 24-48 hours.
Additional context
When implementing this, also check that the refresh token returns a new refresh token When implementing this, also adapt the UI so that it logs out if refresh token is no longer valid. When implementing this, ensure that nodes refresh their token periodically so that they do not have to be restarted manually.
Impact
Patches
None available
Workarounds
None available
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "vantage6"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-23929"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-28T23:20:05Z",
"nvd_published_at": "2023-03-04T00:15:00Z",
"severity": "HIGH"
},
"details": "From issue: \n\nProblem description\nCurrently, the refresh token is valid indefinitely. This is bad security practice.\n\nDesired solution\nThe refresh token should get a validity of 24-48 hours.\n\nAdditional context\n\nWhen implementing this, also check that the refresh token returns a new refresh token\nWhen implementing this, also adapt the UI so that it logs out if refresh token is no longer valid.\nWhen implementing this, ensure that nodes refresh their token periodically so that they do not have to be restarted manually.\n\n\n### Impact\n### Patches\nNone available \n\n### Workarounds\nNone available\n\n",
"id": "GHSA-4w59-c3gc-rrhp",
"modified": "2024-11-18T23:10:57Z",
"published": "2023-02-28T23:20:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-4w59-c3gc-rrhp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23929"
},
{
"type": "WEB",
"url": "https://github.com/vantage6/vantage6/commit/48ebfca42359e9a6743e9598684585e2522cdce8"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/vantage6/PYSEC-2023-54.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/vantage6/vantage6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "vantage6 refresh tokens do not expire"
}
GHSA-4W9H-QQ4C-69WP
Vulnerability from github – Published: 2025-12-04 21:31 – Updated: 2025-12-08 18:30A vulnerability has been identified in Genexis Platinum P4410 router (Firmware P4410-V2–1.41) that allows a local network attacker to achieve Remote Code Execution (RCE) with root privileges. The issue occurs due to improper session invalidation after administrator logout. When an administrator logs out, the session token remains valid. An attacker on the local network can reuse this stale token to send crafted requests via the router’s diagnostic endpoint, resulting in command execution as root.
{
"affected": [],
"aliases": [
"CVE-2025-65883"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-04T20:16:19Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in Genexis Platinum P4410 router (Firmware P4410-V2\u20131.41) that allows a local network attacker to achieve Remote Code Execution (RCE) with root privileges. The issue occurs due to improper session invalidation after administrator logout. When an administrator logs out, the session token remains valid. An attacker on the local network can reuse this stale token to send crafted requests via the router\u2019s diagnostic endpoint, resulting in command execution as root.",
"id": "GHSA-4w9h-qq4c-69wp",
"modified": "2025-12-08T18:30:26Z",
"published": "2025-12-04T21:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65883"
},
{
"type": "WEB",
"url": "https://0xw41th.medium.com/my-first-cve-cve-2025-65883-remote-code-execution-in-a-genexis-router-0c35749a99bd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4X9V-95W9-XP83
Vulnerability from github – Published: 2023-06-16 09:30 – Updated: 2024-04-04 04:54Mattermost fails to check if an admin user account active after an oauth2 flow is started, allowing an attacker with admin privileges to retain persistent access to Mattermost by obtaining an oauth2 access token while the attacker's account is deactivated.
{
"affected": [],
"aliases": [
"CVE-2023-2788"
],
"database_specific": {
"cwe_ids": [
"CWE-613",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-16T09:15:09Z",
"severity": "MODERATE"
},
"details": "Mattermost fails to check if an admin user account active after an oauth2 flow is started, allowing an attacker with admin privileges to retain persistent access to Mattermost by obtaining an oauth2 access token while the attacker\u0027s account is deactivated.\n\n",
"id": "GHSA-4x9v-95w9-xp83",
"modified": "2024-04-04T04:54:24Z",
"published": "2023-06-16T09:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2788"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-523Q-32QM-5JPF
Vulnerability from github – Published: 2025-11-18 18:32 – Updated: 2025-11-19 18:31Requarks Wiki.js 2.5.307 does not properly revoke or invalidate active JWT tokens when a user logs out. As a result, previously issued tokens remain valid and can be reused to access the system, even after logout. This behavior affects session integrity and may allow unauthorized access if a token is compromised. The issue is present in the authentication resolver logic and affects both the GraphQL endpoint and the logout mechanism.
{
"affected": [],
"aliases": [
"CVE-2025-56643"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-18T18:16:07Z",
"severity": "CRITICAL"
},
"details": "Requarks Wiki.js 2.5.307 does not properly revoke or invalidate active JWT tokens when a user logs out. As a result, previously issued tokens remain valid and can be reused to access the system, even after logout. This behavior affects session integrity and may allow unauthorized access if a token is compromised. The issue is present in the authentication resolver logic and affects both the GraphQL endpoint and the logout mechanism.",
"id": "GHSA-523q-32qm-5jpf",
"modified": "2025-11-19T18:31:18Z",
"published": "2025-11-18T18:32:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-56643"
},
{
"type": "WEB",
"url": "https://github.com/0xBS0D27/CVE-2025-56643"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5297-WRRP-RCJ7
Vulnerability from github – Published: 2024-04-08 15:48 – Updated: 2024-04-08 18:34Impact
When a authentificated request is made to POST /store-api/account/logout, the cart will be cleared, but the User won't be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on CustomerLogoutEvent and invalidates the session additionally.
Patches
The problem has been fixed with Shopware 6.6.1.0 and 6.5.8.8.
Workarounds
When you are not able to update, you can install the latest version of the Shopware Security Plugin.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "shopware/core"
},
"ranges": [
{
"events": [
{
"introduced": "6.3.5.0"
},
{
"fixed": "6.5.8.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "shopware/platform"
},
"ranges": [
{
"events": [
{
"introduced": "6.3.5.0"
},
{
"fixed": "6.5.8.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "shopware/core"
},
"ranges": [
{
"events": [
{
"introduced": "6.6.0.0-rc1"
},
{
"fixed": "6.6.1.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "shopware/platform"
},
"ranges": [
{
"events": [
{
"introduced": "6.6.0.0-rc1"
},
{
"fixed": "6.6.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-31447"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-08T15:48:27Z",
"nvd_published_at": "2024-04-08T16:15:08Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nWhen a authentificated request is made to `POST /store-api/account/logout`, the cart will be cleared, but the User won\u0027t be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on `CustomerLogoutEvent` and invalidates the session additionally. \n\n### Patches\nThe problem has been fixed with Shopware 6.6.1.0 and 6.5.8.8.\n\n### Workarounds\nWhen you are not able to update, you can install the latest version of the Shopware Security Plugin.\n",
"id": "GHSA-5297-wrrp-rcj7",
"modified": "2024-04-08T18:34:00Z",
"published": "2024-04-08T15:48:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/shopware/shopware/security/advisories/GHSA-5297-wrrp-rcj7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31447"
},
{
"type": "WEB",
"url": "https://github.com/shopware/shopware/commit/5cc84ddd817ad0c1d07f9b3c79ab346d50514a77"
},
{
"type": "WEB",
"url": "https://github.com/shopware/shopware/commit/d29775aa758f70d08e0c5999795c7c26d230e7d3"
},
{
"type": "PACKAGE",
"url": "https://github.com/shopware/shopware"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Shopware Improper Session Handling in store-api account logout"
}
GHSA-52GH-Q32V-JM2R
Vulnerability from github – Published: 2022-11-22 21:30 – Updated: 2022-11-26 06:31IBM DataPower Gateway 10.0.3.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.9, 2018.4.1.0 through 2018.4.1.22, and 10.5.0.0 through 10.5.0.2 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235527.
{
"affected": [],
"aliases": [
"CVE-2022-40228"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-22T19:15:00Z",
"severity": "MODERATE"
},
"details": "IBM DataPower Gateway 10.0.3.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.9, 2018.4.1.0 through 2018.4.1.22, and 10.5.0.0 through 10.5.0.2 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235527.",
"id": "GHSA-52gh-q32v-jm2r",
"modified": "2022-11-26T06:31:18Z",
"published": "2022-11-22T21:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40228"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/235527"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6840759"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.