Common Weakness Enumeration

CWE-613

Allowed-with-Review

Insufficient Session Expiration

Abstraction: Base · Status: Incomplete

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

876 vulnerabilities reference this CWE, most recent first.

GHSA-53HQ-PWC4-H68H

Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33
VLAI
Details

Microweber 1.1.18 is affected by insufficient session expiration. When changing passwords, both sessions for when a user changes email and old sessions in any other browser or device, the session does not expire and remains active.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-23140"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-09T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "Microweber 1.1.18 is affected by insufficient session expiration. When changing passwords, both sessions for when a user changes email and old sessions in any other browser or device, the session does not expire and remains active.",
  "id": "GHSA-53hq-pwc4-h68h",
  "modified": "2022-05-24T17:33:54Z",
  "published": "2022-05-24T17:33:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-23140"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/virendratiwari03/bddafb3cd82dde8202bd056d340d3e36"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-53MM-HX32-6475

Vulnerability from github – Published: 2022-12-14 21:30 – Updated: 2022-12-19 21:10
VLAI
Summary
TYPO3 vulnerable to Insufficient Session Expiration
Details

An issue was discovered in the fe_change_pwd (aka Change password for frontend users) extension before 2.0.5, and 3.x before 3.0.3, for TYPO3. The extension fails to revoke existing sessions for the current user when the password has been changed.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "derhansen/fe_change_pwd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "derhansen/fe_change_pwd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-47406"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-19T21:10:07Z",
    "nvd_published_at": "2022-12-14T21:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in the fe_change_pwd (aka Change password for frontend users) extension before 2.0.5, and 3.x before 3.0.3, for TYPO3. The extension fails to revoke existing sessions for the current user when the password has been changed.",
  "id": "GHSA-53mm-hx32-6475",
  "modified": "2022-12-19T21:10:07Z",
  "published": "2022-12-14T21:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47406"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/derhansen/fe_change_pwd/CVE-2022-47406.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/TYPO3/typo3"
    },
    {
      "type": "WEB",
      "url": "https://typo3.org/security/advisory/typo3-ext-sa-2022-016"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "TYPO3 vulnerable to Insufficient Session Expiration"
}

GHSA-55C7-JCXX-6JXX

Vulnerability from github – Published: 2022-05-04 00:00 – Updated: 2022-05-04 00:00
VLAI
Details

In Shopizer versions 2.3.0 to 3.0.1 are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-23063"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-03T09:15:00Z",
    "severity": "HIGH"
  },
  "details": "In Shopizer versions 2.3.0 to 3.0.1 are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed.",
  "id": "GHSA-55c7-jcxx-6jxx",
  "modified": "2022-05-04T00:00:24Z",
  "published": "2022-05-04T00:00:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23063"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shopizer-ecommerce/shopizer/blob/3.0.1/sm-shop/src/main/java/com/salesmanager/shop/store/api/v1/customer/AuthenticateCustomerApi.java#L213-L237"
    },
    {
      "type": "WEB",
      "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23063"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5765-9MM7-GG46

Vulnerability from github – Published: 2024-05-03 21:30 – Updated: 2024-05-03 21:30
VLAI
Details

IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 264938.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-40695"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-03T19:15:07Z",
    "severity": "MODERATE"
  },
  "details": "IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.  IBM X-Force ID:  264938.",
  "id": "GHSA-5765-9mm7-gg46",
  "modified": "2024-05-03T21:30:30Z",
  "published": "2024-05-03T21:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40695"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/264938"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7149876"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-57GG-CJ55-Q5G2

Vulnerability from github – Published: 2022-05-24 22:01 – Updated: 2026-01-16 21:48
VLAI
Summary
Token leases could outlive their TTL in HashiCorp Vault
Details

HashiCorp Vault and Vault Enterprise 1.0 before 1.5.4 have Incorrect Access Control.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/hashicorp/vault"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0-beta1"
            },
            {
              "fixed": "1.5.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-25816"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-01T21:49:26Z",
    "nvd_published_at": "2020-09-30T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "HashiCorp Vault and Vault Enterprise 1.0 before 1.5.4 have Incorrect Access Control.",
  "id": "GHSA-57gg-cj55-q5g2",
  "modified": "2026-01-16T21:48:17Z",
  "published": "2022-05-24T22:01:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25816"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hashicorp/vault/pull/10020/commits/f192878110fe93eb13da914b2bee28caa7866a29"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hashicorp/vault"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#147"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#154"
    },
    {
      "type": "WEB",
      "url": "https://www.hashicorp.com/blog/category/vault"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Token leases could outlive their TTL in HashiCorp Vault"
}

GHSA-597C-MH7M-48V7

Vulnerability from github – Published: 2022-05-13 01:42 – Updated: 2024-04-25 21:37
VLAI
Summary
SimpleSAMLphp Invalid token creation and validation
Details

The SimpleSAML_Auth_TimeLimitedToken class in SimpleSAMLphp 1.14.14 and earlier allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "simplesamlphp/simplesamlphp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.14.0"
            },
            {
              "fixed": "1.14.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-12867"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-25T21:37:10Z",
    "nvd_published_at": "2017-08-29T15:29:00Z",
    "severity": "MODERATE"
  },
  "details": "The SimpleSAML_Auth_TimeLimitedToken class in SimpleSAMLphp 1.14.14 and earlier allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset.",
  "id": "GHSA-597c-mh7m-48v7",
  "modified": "2024-04-25T21:37:10Z",
  "published": "2022-05-13T01:42:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12867"
    },
    {
      "type": "WEB",
      "url": "https://github.com/simplesamlphp/simplesamlphp/commit/608f24c2d5afd70c2af050785d2b12f878b33c68"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12867.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/simplesamlphp/simplesamlphp"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html"
    },
    {
      "type": "WEB",
      "url": "https://simplesamlphp.org/security/201708-01"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4127"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SimpleSAMLphp Invalid token creation and validation"
}

GHSA-59QG-93JG-236F

Vulnerability from github – Published: 2023-01-20 23:18 – Updated: 2023-01-20 23:18
VLAI
Summary
Shopware has Insufficient Session Expiration in Administration
Details

Impact

The Administration session expiration was set to one week, when an attacker has stolen the session cookie they could use it for a long period of time.

Patches

We added an automatic logout into the Administration, so the user will be logged out when they are inactive.

References

https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.4.18.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "shopware/platform"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.4.18.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.4.18.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "shopware/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.4.18.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-22732"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-20T23:18:17Z",
    "nvd_published_at": "2023-01-17T22:15:00Z",
    "severity": "LOW"
  },
  "details": "### Impact\nThe Administration session expiration was set to one week, when an attacker has stolen the session cookie they could use it for a long period of time. \n\n### Patches\nWe added an automatic logout into the Administration, so the user will be logged out when they are inactive.\n\n### References\n\nhttps://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates",
  "id": "GHSA-59qg-93jg-236f",
  "modified": "2023-01-20T23:18:17Z",
  "published": "2023-01-20T23:18:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/shopware/platform/security/advisories/GHSA-59qg-93jg-236f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22732"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shopware/platform/commit/cd7a89cbcd3a0428c6d1ef27b3aa15467a722ff6"
    },
    {
      "type": "WEB",
      "url": "https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/shopware/platform"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Shopware has Insufficient Session Expiration in Administration"
}

GHSA-5C3F-6486-3G7G

Vulnerability from github – Published: 2026-06-23 17:03 – Updated: 2026-06-23 17:03
VLAI
Summary
Gogs's password-reset tokens use account-activation lifetime, ignoring RESET_PASSWORD_CODE_LIVES
Details

Summary

Password-reset tokens are generated using conf.Auth.ActivateCodeLives (the account-activation lifetime), not conf.Auth.ResetPasswordCodeLives. The token lifetime is baked into the token itself at generation time and is re-extracted from the token at verification time, making RESET_PASSWORD_CODE_LIVES irrelevant to actual enforcement. When an administrator configures a shorter reset window (e.g., 10 minutes) for compliance or security reasons, reset tokens remain exploitable for the full activation lifetime instead, while the reset email falsely advertises the shorter expiry.

Severity

Medium (CVSS 3.1: 6.8)

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

  • Attack Vector: Network — the reset endpoint is reachable over HTTP/S.
  • Attack Complexity: High — successful exploitation requires (1) the instance to be configured with RESET_PASSWORD_CODE_LIVES < ACTIVATE_CODE_LIVES, AND (2) the attacker to have intercepted the victim's reset token (e.g., from a compromised or shared email inbox).
  • Privileges Required: None — no Gogs account is required.
  • User Interaction: Required — the victim must have triggered a password-reset request.
  • Scope: Unchanged — the impact is confined to the victim's Gogs account.
  • Confidentiality Impact: High — successful exploitation leads to account takeover, exposing all private repositories and data.
  • Integrity Impact: High — the attacker can change the victim's password and gain full write access.
  • Availability Impact: None.

Affected component

  • internal/userx/userx.goGenerateActivateCode() (line 39)
  • internal/email/email.goSendResetPasswordMail() (line 132)
  • internal/route/user/auth.goverifyUserActiveCode() (lines 426–439) and ResetPasswdPost() (line 621)

CWE

  • CWE-324: Use of a Key Past Its Expiration Date
  • CWE-613: Insufficient Session Expiration

Description

The reset token lifetime is hardcoded to ActivateCodeLives at generation

GenerateActivateCode (called for both account activation and password reset) bakes conf.Auth.ActivateCodeLives — not ResetPasswordCodeLives — into the token as a 6-digit field:

// internal/userx/userx.go:36-46
func GenerateActivateCode(userID int64, email, name, password, rands string) string {
    code := tool.CreateTimeLimitCode(
        fmt.Sprintf("%d%s%s%s%s", userID, email, strings.ToLower(name), password, rands),
        conf.Auth.ActivateCodeLives,   // ← always ActivateCodeLives, never ResetPasswordCodeLives
        nil,
    )
    code += hex.EncodeToString([]byte(strings.ToLower(name)))
    return code
}

CreateTimeLimitCode embeds the minutes value at positions 12–17 of the token:

Token format: YYYYMMDDHHMM (12) | 000180 (6-digit lives) | SHA1 (40) | hex-username

SendResetPasswordMail calls u.GenerateEmailActivateCode(u.Email()) — which resolves to GenerateActivateCode — with no option to pass a different lifetime:

// internal/email/email.go:131-132
func SendResetPasswordMail(c *macaron.Context, u User) error {
    return SendUserMail(c, u, tmplAuthResetPassword, u.GenerateEmailActivateCode(u.Email()), ...)
}

ResetPasswordCodeLives is used only for display, not enforcement

VerifyTimeLimitCode discards the minutes argument and re-extracts the lifetime directly from the token itself:

// internal/tool/tool.go:62-86
func VerifyTimeLimitCode(data string, minutes int, code string) bool {
    start := code[:12]
    lives := code[12:18]
    if d, err := strconv.Atoi(lives); err == nil {
        minutes = d    // ← argument overridden by value baked into the token
    }
    retCode := CreateTimeLimitCode(data, minutes, start)
    if retCode == code && minutes > 0 {
        before, _ := time.ParseInLocation("200601021504", start, time.Local)
        if before.Add(time.Minute * time.Duration(minutes)).Unix() > now.Unix() {
            return true
        }
    }
    return false
}

The verifyUserActiveCode caller passes conf.Auth.ActivateCodeLives as minutes, but it makes no difference:

// internal/route/user/auth.go:426-439
func verifyUserActiveCode(code string) (user *database.User) {
    minutes := conf.Auth.ActivateCodeLives   // passed to VerifyTimeLimitCode but immediately overridden
    if user = parseUserFromCode(code); user != nil {
        prefix := code[:tool.TimeLimitCodeLength]
        data := strconv.FormatInt(user.ID, 10) + user.Email + user.LowerName + user.Password + user.Rands
        if tool.VerifyTimeLimitCode(data, minutes, prefix) {
            return user
        }
    }
    return nil
}

ResetPasswdPost validates the reset token through verifyUserActiveCode, so it inherits the same flaw:

// internal/route/user/auth.go:621
if u := verifyUserActiveCode(code); u != nil {

ResetPasswordCodeLives appears only in email template data and in the admin config display — it has zero effect on actual token validation:

// internal/email/email.go:109 — template data only, not used to generate the token
"ResetPwdCodeLives": conf.Auth.ResetPasswordCodeLives / 60,

Full execution chain

  1. Victim requests reset: POST /user/forget_passwordSendResetPasswordMail generates a token embedding ActivateCodeLives = 180 at bytes 12–17.
  2. Email delivered: The reset email says "link valid for 10 minutes" (from ResetPwdCodeLives in the template) but the embedded lifetime is 180.
  3. RESET_PASSWORD_CODE_LIVES window closes: After 10 minutes the victim believes the link has expired.
  4. Attacker submits the token: POST /user/reset_password?code=<TOKEN>ResetPasswdPostverifyUserActiveCodeVerifyTimeLimitCode extracts 000180 from the token → confirms the token has not yet reached the 180-minute mark → returns the user object → password is updated.
  5. Account takeover: Attacker sets a new password and authenticates as the victim.

Proof of Concept

# app.ini configuration that exposes the bug:
[auth]
ACTIVATE_CODE_LIVES = 180
RESET_PASSWORD_CODE_LIVES = 10
# 1) Request password reset for victim account
curl -i -X POST -d 'email=victim@example.com' http://HOST/user/forget_password

# 2) Obtain the reset link from the email.
#    Wait 11 minutes (past RESET_PASSWORD_CODE_LIVES, within ACTIVATE_CODE_LIVES).

# 3) Submit the "expired" reset code — it still succeeds
curl -i -X POST \
  -d 'code=<CODE_FROM_EMAIL>&password=AttackerNewPass' \
  'http://HOST/user/reset_password?code=<CODE_FROM_EMAIL>'

# Expected: HTTP 302 redirect to /user/login — password successfully changed
# despite the reset window having "closed" 10 minutes ago.

Impact

  • An administrator who sets RESET_PASSWORD_CODE_LIVES shorter than ACTIVATE_CODE_LIVES to limit the window of exposure for intercepted reset emails gets no security benefit from that configuration.
  • Reset tokens remain valid for the full activation lifetime (default 3 hours), giving an attacker who has intercepted a reset email a much larger window to use it.
  • The reset email actively misleads users by advertising a shorter expiry that is never enforced.
  • All password-reset operations are affected; there is no per-user or per-request way to issue a correctly-expiring token.

Recommended remediation

Option 1: Add a ResetPasswordCodeLives-aware generation function (preferred)

Introduce a dedicated code-generation path that passes conf.Auth.ResetPasswordCodeLives instead of ActivateCodeLives:

// internal/userx/userx.go
func GenerateResetPasswordCode(userID int64, email, name, password, rands string) string {
    code := tool.CreateTimeLimitCode(
        fmt.Sprintf("%d%s%s%s%s", userID, email, strings.ToLower(name), password, rands),
        conf.Auth.ResetPasswordCodeLives,   // ← correct lifetime
        nil,
    )
    code += hex.EncodeToString([]byte(strings.ToLower(name)))
    return code
}

Update email.User to expose this through the interface:

// internal/email/email.go interface
GenerateResetPasswordCode(email string) string

Update SendResetPasswordMail to call it:

func SendResetPasswordMail(c *macaron.Context, u User) error {
    return SendUserMail(c, u, tmplAuthResetPassword, u.GenerateResetPasswordCode(u.Email()), ...)
}

Because VerifyTimeLimitCode reads the lifetime from the token itself, no change to the verification side is required — tokens generated with ResetPasswordCodeLives will automatically expire at the correct time.

Option 2: Validate the extracted lifetime against the configured maximum

Add a post-extraction check in VerifyTimeLimitCode or in the reset-specific verification function to reject tokens whose embedded lifetime exceeds ResetPasswordCodeLives:

// in verifyUserActiveCode, after extracting the prefix:
embeddedLives := ... // parse positions 12-18 of the code
if embeddedLives > conf.Auth.ResetPasswordCodeLives {
    return nil  // reject tokens with a longer-than-allowed lifetime
}

This is a defence-in-depth measure but does not fix the root cause; Option 1 is preferred.

Credit

This vulnerability was discovered and reported by bugbunny.ai.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "gogs.io/gogs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.14.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-52809"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-324",
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-23T17:03:25Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nPassword-reset tokens are generated using `conf.Auth.ActivateCodeLives` (the account-activation lifetime), not `conf.Auth.ResetPasswordCodeLives`. The token lifetime is baked into the token itself at generation time and is re-extracted from the token at verification time, making `RESET_PASSWORD_CODE_LIVES` irrelevant to actual enforcement. When an administrator configures a shorter reset window (e.g., 10 minutes) for compliance or security reasons, reset tokens remain exploitable for the full activation lifetime instead, while the reset email falsely advertises the shorter expiry.\n\n## Severity\n\n**Medium** (CVSS 3.1: 6.8)\n\n`CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N`\n\n- **Attack Vector:** Network \u2014 the reset endpoint is reachable over HTTP/S.\n- **Attack Complexity:** High \u2014 successful exploitation requires (1) the instance to be configured with `RESET_PASSWORD_CODE_LIVES \u003c ACTIVATE_CODE_LIVES`, AND (2) the attacker to have intercepted the victim\u0027s reset token (e.g., from a compromised or shared email inbox).\n- **Privileges Required:** None \u2014 no Gogs account is required.\n- **User Interaction:** Required \u2014 the victim must have triggered a password-reset request.\n- **Scope:** Unchanged \u2014 the impact is confined to the victim\u0027s Gogs account.\n- **Confidentiality Impact:** High \u2014 successful exploitation leads to account takeover, exposing all private repositories and data.\n- **Integrity Impact:** High \u2014 the attacker can change the victim\u0027s password and gain full write access.\n- **Availability Impact:** None.\n\n## Affected component\n\n- `internal/userx/userx.go` \u2014 `GenerateActivateCode()` (line 39)\n- `internal/email/email.go` \u2014 `SendResetPasswordMail()` (line 132)\n- `internal/route/user/auth.go` \u2014 `verifyUserActiveCode()` (lines 426\u2013439) and `ResetPasswdPost()` (line 621)\n\n## CWE\n\n- **CWE-324**: Use of a Key Past Its Expiration Date\n- **CWE-613**: Insufficient Session Expiration\n\n## Description\n\n### The reset token lifetime is hardcoded to `ActivateCodeLives` at generation\n\n`GenerateActivateCode` (called for both account activation and password reset) bakes `conf.Auth.ActivateCodeLives` \u2014 not `ResetPasswordCodeLives` \u2014 into the token as a 6-digit field:\n\n```go\n// internal/userx/userx.go:36-46\nfunc GenerateActivateCode(userID int64, email, name, password, rands string) string {\n    code := tool.CreateTimeLimitCode(\n        fmt.Sprintf(\"%d%s%s%s%s\", userID, email, strings.ToLower(name), password, rands),\n        conf.Auth.ActivateCodeLives,   // \u2190 always ActivateCodeLives, never ResetPasswordCodeLives\n        nil,\n    )\n    code += hex.EncodeToString([]byte(strings.ToLower(name)))\n    return code\n}\n```\n\n`CreateTimeLimitCode` embeds the `minutes` value at positions 12\u201317 of the token:\n\n```\nToken format: YYYYMMDDHHMM (12) | 000180 (6-digit lives) | SHA1 (40) | hex-username\n```\n\n`SendResetPasswordMail` calls `u.GenerateEmailActivateCode(u.Email())` \u2014 which resolves to `GenerateActivateCode` \u2014 with no option to pass a different lifetime:\n\n```go\n// internal/email/email.go:131-132\nfunc SendResetPasswordMail(c *macaron.Context, u User) error {\n    return SendUserMail(c, u, tmplAuthResetPassword, u.GenerateEmailActivateCode(u.Email()), ...)\n}\n```\n\n### `ResetPasswordCodeLives` is used only for display, not enforcement\n\n`VerifyTimeLimitCode` discards the `minutes` argument and re-extracts the lifetime directly from the token itself:\n\n```go\n// internal/tool/tool.go:62-86\nfunc VerifyTimeLimitCode(data string, minutes int, code string) bool {\n    start := code[:12]\n    lives := code[12:18]\n    if d, err := strconv.Atoi(lives); err == nil {\n        minutes = d    // \u2190 argument overridden by value baked into the token\n    }\n    retCode := CreateTimeLimitCode(data, minutes, start)\n    if retCode == code \u0026\u0026 minutes \u003e 0 {\n        before, _ := time.ParseInLocation(\"200601021504\", start, time.Local)\n        if before.Add(time.Minute * time.Duration(minutes)).Unix() \u003e now.Unix() {\n            return true\n        }\n    }\n    return false\n}\n```\n\nThe `verifyUserActiveCode` caller passes `conf.Auth.ActivateCodeLives` as `minutes`, but it makes no difference:\n\n```go\n// internal/route/user/auth.go:426-439\nfunc verifyUserActiveCode(code string) (user *database.User) {\n    minutes := conf.Auth.ActivateCodeLives   // passed to VerifyTimeLimitCode but immediately overridden\n    if user = parseUserFromCode(code); user != nil {\n        prefix := code[:tool.TimeLimitCodeLength]\n        data := strconv.FormatInt(user.ID, 10) + user.Email + user.LowerName + user.Password + user.Rands\n        if tool.VerifyTimeLimitCode(data, minutes, prefix) {\n            return user\n        }\n    }\n    return nil\n}\n```\n\n`ResetPasswdPost` validates the reset token through `verifyUserActiveCode`, so it inherits the same flaw:\n\n```go\n// internal/route/user/auth.go:621\nif u := verifyUserActiveCode(code); u != nil {\n```\n\n`ResetPasswordCodeLives` appears only in email template data and in the admin config display \u2014 it has zero effect on actual token validation:\n\n```go\n// internal/email/email.go:109 \u2014 template data only, not used to generate the token\n\"ResetPwdCodeLives\": conf.Auth.ResetPasswordCodeLives / 60,\n```\n\n### Full execution chain\n\n1. **Victim requests reset**: `POST /user/forget_password` \u2192 `SendResetPasswordMail` generates a token embedding `ActivateCodeLives = 180` at bytes 12\u201317.\n2. **Email delivered**: The reset email says \"link valid for 10 minutes\" (from `ResetPwdCodeLives` in the template) but the embedded lifetime is 180.\n3. **`RESET_PASSWORD_CODE_LIVES` window closes**: After 10 minutes the victim believes the link has expired.\n4. **Attacker submits the token**: `POST /user/reset_password?code=\u003cTOKEN\u003e` \u2192 `ResetPasswdPost` \u2192 `verifyUserActiveCode` \u2192 `VerifyTimeLimitCode` extracts `000180` from the token \u2192 confirms the token has not yet reached the 180-minute mark \u2192 returns the user object \u2192 password is updated.\n5. **Account takeover**: Attacker sets a new password and authenticates as the victim.\n\n## Proof of Concept\n\n```ini\n# app.ini configuration that exposes the bug:\n[auth]\nACTIVATE_CODE_LIVES = 180\nRESET_PASSWORD_CODE_LIVES = 10\n```\n\n```bash\n# 1) Request password reset for victim account\ncurl -i -X POST -d \u0027email=victim@example.com\u0027 http://HOST/user/forget_password\n\n# 2) Obtain the reset link from the email.\n#    Wait 11 minutes (past RESET_PASSWORD_CODE_LIVES, within ACTIVATE_CODE_LIVES).\n\n# 3) Submit the \"expired\" reset code \u2014 it still succeeds\ncurl -i -X POST \\\n  -d \u0027code=\u003cCODE_FROM_EMAIL\u003e\u0026password=AttackerNewPass\u0027 \\\n  \u0027http://HOST/user/reset_password?code=\u003cCODE_FROM_EMAIL\u003e\u0027\n\n# Expected: HTTP 302 redirect to /user/login \u2014 password successfully changed\n# despite the reset window having \"closed\" 10 minutes ago.\n```\n\n## Impact\n\n- An administrator who sets `RESET_PASSWORD_CODE_LIVES` shorter than `ACTIVATE_CODE_LIVES` to limit the window of exposure for intercepted reset emails gets no security benefit from that configuration.\n- Reset tokens remain valid for the full activation lifetime (default 3 hours), giving an attacker who has intercepted a reset email a much larger window to use it.\n- The reset email actively misleads users by advertising a shorter expiry that is never enforced.\n- All password-reset operations are affected; there is no per-user or per-request way to issue a correctly-expiring token.\n\n## Recommended remediation\n\n### Option 1: Add a `ResetPasswordCodeLives`-aware generation function (preferred)\n\nIntroduce a dedicated code-generation path that passes `conf.Auth.ResetPasswordCodeLives` instead of `ActivateCodeLives`:\n\n```go\n// internal/userx/userx.go\nfunc GenerateResetPasswordCode(userID int64, email, name, password, rands string) string {\n    code := tool.CreateTimeLimitCode(\n        fmt.Sprintf(\"%d%s%s%s%s\", userID, email, strings.ToLower(name), password, rands),\n        conf.Auth.ResetPasswordCodeLives,   // \u2190 correct lifetime\n        nil,\n    )\n    code += hex.EncodeToString([]byte(strings.ToLower(name)))\n    return code\n}\n```\n\nUpdate `email.User` to expose this through the interface:\n\n```go\n// internal/email/email.go interface\nGenerateResetPasswordCode(email string) string\n```\n\nUpdate `SendResetPasswordMail` to call it:\n\n```go\nfunc SendResetPasswordMail(c *macaron.Context, u User) error {\n    return SendUserMail(c, u, tmplAuthResetPassword, u.GenerateResetPasswordCode(u.Email()), ...)\n}\n```\n\nBecause `VerifyTimeLimitCode` reads the lifetime from the token itself, no change to the verification side is required \u2014 tokens generated with `ResetPasswordCodeLives` will automatically expire at the correct time.\n\n### Option 2: Validate the extracted lifetime against the configured maximum\n\nAdd a post-extraction check in `VerifyTimeLimitCode` or in the reset-specific verification function to reject tokens whose embedded lifetime exceeds `ResetPasswordCodeLives`:\n\n```go\n// in verifyUserActiveCode, after extracting the prefix:\nembeddedLives := ... // parse positions 12-18 of the code\nif embeddedLives \u003e conf.Auth.ResetPasswordCodeLives {\n    return nil  // reject tokens with a longer-than-allowed lifetime\n}\n```\n\nThis is a defence-in-depth measure but does not fix the root cause; Option 1 is preferred.\n\n## Credit\n\nThis vulnerability was discovered and reported by [bugbunny.ai](https://bugbunny.ai).",
  "id": "GHSA-5c3f-6486-3g7g",
  "modified": "2026-06-23T17:03:25Z",
  "published": "2026-06-23T17:03:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/security/advisories/GHSA-5c3f-6486-3g7g"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/pull/8328"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/commit/187e9c557930eb4a8b9b1502ee45cccf3255ee7f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gogs/gogs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Gogs\u0027s password-reset tokens use account-activation lifetime, ignoring RESET_PASSWORD_CODE_LIVES"
}

GHSA-5FMW-QRMV-X2MW

Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-05-24 19:19
VLAI
Details

A vulnerability in the web-based management interface of multiple Cisco Small Business Series Switches could allow an unauthenticated, remote attacker to replay valid user session credentials and gain unauthorized access to the web-based management interface of an affected device. This vulnerability is due to insufficient expiration of session credentials. An attacker could exploit this vulnerability by conducting a man-in-the-middle attack against an affected device to intercept valid session credentials and then replaying the intercepted credentials toward the same device at a later time. A successful exploit could allow the attacker to access the web-based management interface with administrator privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-34739"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-04T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the web-based management interface of multiple Cisco Small Business Series Switches could allow an unauthenticated, remote attacker to replay valid user session credentials and gain unauthorized access to the web-based management interface of an affected device. This vulnerability is due to insufficient expiration of session credentials. An attacker could exploit this vulnerability by conducting a man-in-the-middle attack against an affected device to intercept valid session credentials and then replaying the intercepted credentials toward the same device at a later time. A successful exploit could allow the attacker to access the web-based management interface with administrator privileges.",
  "id": "GHSA-5fmw-qrmv-x2mw",
  "modified": "2022-05-24T19:19:47Z",
  "published": "2022-05-24T19:19:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34739"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-switches-tokens-UzwpR4e5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-5FRQ-4CX3-FRC8

Vulnerability from github – Published: 2024-06-11 12:31 – Updated: 2024-08-06 15:30
VLAI
Details

A vulnerability has been identified in SINEC Traffic Analyzer (6GK8822-1BG01-0BA0) (All versions < V1.2). The affected application does not expire the session. This could allow an attacker to get unauthorized access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-35206"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-11T12:15:16Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been identified in SINEC Traffic Analyzer (6GK8822-1BG01-0BA0) (All versions \u003c V1.2). The affected application does not expire the session. This could allow an attacker to get unauthorized access.",
  "id": "GHSA-5frq-4cx3-frc8",
  "modified": "2024-08-06T15:30:47Z",
  "published": "2024-06-11T12:31:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35206"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-196737.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Implementation

Set sessions/credentials expiration date.

No CAPEC attack patterns related to this CWE.