Common Weakness Enumeration

CWE-613

Allowed-with-Review

Insufficient Session Expiration

Abstraction: Base · Status: Incomplete

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

876 vulnerabilities reference this CWE, most recent first.

GHSA-5GVV-3X4Q-5HP6

Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2024-04-04 02:48
VLAI
Details

SAP Enable Now, before version 1908, does not invalidate session tokens in a timely manner. The Insufficient Session Expiration may allow attackers with local access, for instance, to still download the portables.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-6197"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-03-10T21:15:00Z",
    "severity": "LOW"
  },
  "details": "SAP Enable Now, before version 1908, does not invalidate session tokens in a timely manner. The Insufficient Session Expiration may allow attackers with local access, for instance, to still download the portables.",
  "id": "GHSA-5gvv-3x4q-5hp6",
  "modified": "2024-04-04T02:48:59Z",
  "published": "2022-05-24T17:10:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6197"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/2845363"
    },
    {
      "type": "WEB",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5H3F-885M-V22W

Vulnerability from github – Published: 2026-04-09 17:36 – Updated: 2026-04-28 18:27
VLAI
Summary
OpenClaw: Existing WS sessions survive shared gateway token rotation
Details

Impact

Existing WS sessions survive shared gateway token rotation.

Rotating the shared gateway token did not disconnect existing shared-token WebSocket sessions.

OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: <= 2026.4.1
  • Patched versions: 2026.4.8

Fix

The issue was fixed on main and is available in the patched npm version listed above. The verified fixed tree is commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5.

Verification

The fix was re-checked against main before publication, including targeted regression tests for the affected security boundary.

Credits

Thanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.4.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42421"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-09T17:36:02Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Impact\n\nExisting WS sessions survive shared gateway token rotation.\n\nRotating the shared gateway token did not disconnect existing shared-token WebSocket sessions.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c= 2026.4.1`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.",
  "id": "GHSA-5h3f-885m-v22w",
  "modified": "2026-04-28T18:27:44Z",
  "published": "2026-04-09T17:36:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5h3f-885m-v22w"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Existing WS sessions survive shared gateway token rotation"
}

GHSA-5HFV-C864-QCQ9

Vulnerability from github – Published: 2026-05-04 20:50 – Updated: 2026-05-08 20:14
VLAI
Summary
CI4MS has a Deactivated User Session Bypass (active=0)
Details

Summary

The auth filter has the deactivated/banned user check commented out.

Details

CodeIgniter Shield's loggedIn() re-checks the status field (catching status='banned'), but does not re-check the active field for existing sessions. When an admin deactivates a user (active=0) after they have already logged in: - Their session cookie remains valid - auth()->loggedIn() still returns true - The commented-out code is the only mechanism that would have checked !$user->active

Evidence

image

Impact

  • User deactivation does NOT immediately revoke backend access
  • Deactivated user retains full access until session expires (default: 7200s)

Additional note

The commented-out block appears to be a deferred placeholder — it was written but disabled from the very first commit that introduced the filter, and has never been active. The later addition of SessionTracker (v0.31.4.0) suggests the dev was aware of the session revocation gap, but account-level deactivation (users.active = 0) remains unenforced. Could you verify if this is intentionally pending or simply forgotten and not documented?.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.31.7.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "ci4-cms-erp/ci4ms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.26.0"
            },
            {
              "fixed": "0.31.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41891"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-04T20:50:55Z",
    "nvd_published_at": "2026-05-07T04:16:33Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe auth filter has the deactivated/banned user check commented out. \n\n### Details\nCodeIgniter Shield\u0027s `loggedIn()` re-checks the `status` field (catching `status=\u0027banned\u0027`), but does **not** re-check the `active` field for existing sessions. When an admin deactivates a user (`active=0`) after they have already logged in:\n- Their session cookie remains valid\n- `auth()-\u003eloggedIn()` still returns `true`\n- The commented-out code is the only mechanism that would have checked `!$user-\u003eactive`\n\n### Evidence\n\u003cimg width=\"981\" height=\"654\" alt=\"image\" src=\"https://github.com/user-attachments/assets/6f75d144-5bcf-4a3f-bc35-bb0715c3ed05\" /\u003e\n\n\n### Impact\n- User deactivation does NOT immediately revoke backend access\n- Deactivated user retains full access until session expires (default: 7200s)\n\n### Additional note\nThe commented-out block appears to be a deferred placeholder \u2014 it was written but disabled from the very first commit that introduced the filter, and has never been active. The later addition of SessionTracker (v0.31.4.0) suggests the dev was aware of the session revocation gap, but account-level deactivation (users.active = 0) remains unenforced. Could you verify if this is intentionally pending or simply forgotten and not documented?.",
  "id": "GHSA-5hfv-c864-qcq9",
  "modified": "2026-05-08T20:14:41Z",
  "published": "2026-05-04T20:50:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-5hfv-c864-qcq9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41891"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ci4-cms-erp/ci4ms/commit/2f38284281ce6b435ea42003951f14109ac2cea7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ci4-cms-erp/ci4ms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.8.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "CI4MS has a Deactivated User Session Bypass (active=0)"
}

GHSA-5MRQ-X3X5-8V8F

Vulnerability from github – Published: 2026-05-05 17:03 – Updated: 2026-06-06 00:27
VLAI
Summary
Jupyter Server's Authentication Cookies Remain Valid After Password Reset and Server Restart
Details

Summary

A persistent cookie secret vulnerability allows authenticated users to maintain indefinite access even after password changes.

The cookie secret used to sign authentication cookies is stored in a permanent file (~/.local/share/jupyter/runtime/jupyter_cookie_secret) that is never automatically rotated or cleared, allowing stolen or compromised cookies to remain valid indefinitely regardless of password resets.

PoC

  • Start a Jupyter server with password authentication: jupyter server password, jupyter server
  • Log in with the password and capture the authentication cookie (e.g., just login with a browser).
  • Change the password to revoke access: jupyter server password
  • Restart the server
  • Use the old stolen cookie => remains valid and provides full authenticated access.

Impact

  • All jupyter-server deployments using password authentication where security incidents may occur
  • Multi-user systems where one user's compromised session should be revocable by administrators
  • Shared or public-facing Jupyter servers where credential rotation is a security requirement
  • Any deployment where password changes are expected to revoke existing sessions

Patches

Jupyter Server 2.18+

Workaround

rm ~/.local/share/jupyter/runtime/jupyter_cookie_secret
# Then restart the server
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.17.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "jupyter-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.18.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40934"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T17:03:24Z",
    "nvd_published_at": "2026-05-05T22:16:00Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nA persistent cookie secret vulnerability allows authenticated users to maintain indefinite access even after password changes. \n\nThe cookie secret used to sign authentication cookies is stored in a permanent file (`~/.local/share/jupyter/runtime/jupyter_cookie_secret`) that is never automatically rotated or cleared, allowing stolen or compromised cookies to remain valid indefinitely regardless of password resets.\n\n## PoC\n\n- Start a Jupyter server with password authentication: `jupyter server password`, `jupyter server`\n- Log in with the password and capture the authentication cookie (e.g., just login with a browser).\n- Change the password to revoke access: `jupyter server password`\n- Restart the server\n- Use the old stolen cookie =\u003e remains valid and provides full authenticated access.\n\n## Impact\n\n- All jupyter-server deployments using password authentication where security incidents may occur\n- Multi-user systems where one user\u0027s compromised session should be revocable by administrators\n- Shared or public-facing Jupyter servers where credential rotation is a security requirement\n- Any deployment where password changes are expected to revoke existing sessions\n\n## Patches\n\nJupyter Server 2.18+\n\n## Workaround\n\n```bash\nrm ~/.local/share/jupyter/runtime/jupyter_cookie_secret\n# Then restart the server\n```",
  "id": "GHSA-5mrq-x3x5-8v8f",
  "modified": "2026-06-06T00:27:08Z",
  "published": "2026-05-05T17:03:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5mrq-x3x5-8v8f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40934"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jupyter-server/jupyter_server"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/jupyter-server/PYSEC-2026-69.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Jupyter Server\u0027s Authentication Cookies Remain Valid After Password Reset and Server Restart"
}

GHSA-5MVJ-RVP8-RF45

Vulnerability from github – Published: 2023-07-28 15:35 – Updated: 2023-07-28 15:35
VLAI
Summary
Insufficient Session Expiration after a password change
Details

TL;DR

This vulnerability affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config).

It can only be abused if a Kirby user is logged in on a device or browser that is shared with potentially untrusted users or if an attacker already maliciously used a previous password to log in to a Kirby site as the affected user.


Introduction

Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.

In the variation described in this advisory, it allows attackers to stay logged in to a Kirby site on another device or browser even if the logged in user has since changed their password.

Impact

Kirby did not invalidate old user sessions after the user password was changed by the user or by a site admin.

If a user changed their password to lock out an attacker who was already in possession of the previous password or of a login session on another device or browser, the attacker would not be reliably prevented from accessing the Kirby site as the affected user.

Patches

The problem has been patched in Kirby 3.5.8.3, Kirby 3.6.6.3, Kirby 3.7.5.2, Kirby 3.8.4.1 and Kirby 3.9.6. Please update to one of these or a later version to fix the vulnerability.

In all of the mentioned releases, we have updated the authentication implementation to keep track of the last time the password was changed. If a new password was set since the login, the session is invalidated. To enforce this fix even if the vulnerability was previously abused, all users are logged out from the Kirby site after updating to one of the patched releases.

Credits

Thanks to Shankar Acharya (@5hank4r) for responsibly reporting the identified issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getkirby/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.5.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getkirby/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.6.0"
            },
            {
              "fixed": "3.6.6.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getkirby/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.7.0"
            },
            {
              "fixed": "3.7.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getkirby/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.8.0"
            },
            {
              "fixed": "3.8.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getkirby/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.9.0"
            },
            {
              "fixed": "3.9.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-38489"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-28T15:35:25Z",
    "nvd_published_at": "2023-07-27T15:15:12Z",
    "severity": "HIGH"
  },
  "details": "### TL;DR\n\nThis vulnerability affects all Kirby sites with user accounts (unless Kirby\u0027s API and Panel are disabled in the config).\n\nIt can only be abused if a Kirby user is logged in on a device or browser that is shared with potentially untrusted users or if an attacker already maliciously used a previous password to log in to a Kirby site as the affected user.\n\n----\n\n### Introduction\n\nInsufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.\n\nIn the variation described in this advisory, it allows attackers to stay logged in to a Kirby site on another device or browser even if the logged in user has since changed their password.\n\n### Impact\n\nKirby did not invalidate old user sessions after the user password was changed by the user or by a site admin.\n\nIf a user changed their password to lock out an attacker who was already in possession of the previous password or of a login session on another device or browser, the attacker would not be reliably prevented from accessing the Kirby site as the affected user.\n\n### Patches\n\nThe problem has been patched in [Kirby 3.5.8.3](https://github.com/getkirby/kirby/releases/tag/3.5.8.3), [Kirby 3.6.6.3](https://github.com/getkirby/kirby/releases/tag/3.6.6.3), [Kirby 3.7.5.2](https://github.com/getkirby/kirby/releases/tag/3.7.5.2), [Kirby 3.8.4.1](https://github.com/getkirby/kirby/releases/tag/3.8.4.1) and [Kirby 3.9.6](https://github.com/getkirby/kirby/releases/tag/3.9.6). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability.\n\nIn all of the mentioned releases, we have updated the authentication implementation to keep track of the last time the password was changed. If a new password was set since the login, the session is invalidated. To enforce this fix even if the vulnerability was previously abused, all users are logged out from the Kirby site after updating to one of the patched releases.\n\n### Credits\n\nThanks to Shankar Acharya (@5hank4r) for responsibly reporting the identified issue.",
  "id": "GHSA-5mvj-rvp8-rf45",
  "modified": "2023-07-28T15:35:25Z",
  "published": "2023-07-28T15:35:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-5mvj-rvp8-rf45"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38489"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getkirby/kirby/commit/7a0a2014c69fdb925ea02f30e7793bb50115e931"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getkirby/kirby"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getkirby/kirby/releases/tag/3.5.8.3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getkirby/kirby/releases/tag/3.6.6.3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getkirby/kirby/releases/tag/3.7.5.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getkirby/kirby/releases/tag/3.8.4.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getkirby/kirby/releases/tag/3.9.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insufficient Session Expiration after a password change"
}

GHSA-5Q53-X3G6-993R

Vulnerability from github – Published: 2022-09-22 00:00 – Updated: 2022-09-25 00:00
VLAI
Details

Rapid7 InsightVM suffers from an information exposure issue whereby, when the user's session has ended due to inactivity, an attacker can use the Inspect Element browser feature to remove the login panel and view the details available in the last webpage visited by previous user

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-5641"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-21T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Rapid7 InsightVM suffers from an information exposure issue whereby, when the user\u0027s session has ended due to inactivity, an attacker can use the Inspect Element browser feature to remove the login panel and view the details available in the last webpage visited by previous user",
  "id": "GHSA-5q53-x3g6-993r",
  "modified": "2022-09-25T00:00:26Z",
  "published": "2022-09-22T00:00:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5641"
    },
    {
      "type": "WEB",
      "url": "https://docs.rapid7.com/release-notes/insightvm/20220830"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5R8W-66HQ-RC39

Vulnerability from github – Published: 2024-05-27 18:53 – Updated: 2024-05-27 18:53
VLAI
Summary
silverstripe/framework's pre-existing alc_enc cookies log users in if remember me is disabled
Details

If remember me is on and users log in with the box checked, if the developer then disabled "remember me" function, any pre-existing cookies will continue to authenticate users.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "silverstripe/framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.19-rc1"
            },
            {
              "fixed": "3.1.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "silverstripe/framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.2.4-rc1"
            },
            {
              "fixed": "3.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "silverstripe/framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.3.2-rc1"
            },
            {
              "fixed": "3.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "silverstripe/framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.4.0-rc1"
            },
            {
              "fixed": "3.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-27T18:53:40Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "If remember me is on and users log in with the box checked, if the developer then disabled \"remember me\" function, any pre-existing cookies will continue to authenticate users.",
  "id": "GHSA-5r8w-66hq-rc39",
  "modified": "2024-05-27T18:53:40Z",
  "published": "2024-05-27T18:53:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/silverstripe/silverstripe-framework/commit/1c7d5de51bcdf16ebb21c5a0ebe5fe9e31f9a822"
    },
    {
      "type": "WEB",
      "url": "https://github.com/silverstripe/silverstripe-framework/commit/b1f449762b5d11658b11d5036d5ae361a95fd61e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/silverstripe/silverstripe-framework/commit/d1163d87b70e3e147f22a1e423b9f70f6fd85e8f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/silverstripe/silverstripe-framework/commit/fa7f5af8618a83c865b11fd6cc981ad9661046e6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2016-014-1.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/silverstripe/silverstripe-framework"
    },
    {
      "type": "WEB",
      "url": "https://www.silverstripe.org/download/security-releases/ss-2016-014"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "silverstripe/framework\u0027s pre-existing alc_enc cookies log users in if remember me is disabled"
}

GHSA-5RQC-WQWJ-478F

Vulnerability from github – Published: 2023-03-28 21:30 – Updated: 2025-02-19 21:31
VLAI
Details

This disclosure regards a vulnerability related to UAA refresh tokens and external identity providers.Assuming that an external identity provider is linked to the UAA, a refresh token is issued to a client on behalf of a user from that identity provider, the administrator of the UAA deactivates the identity provider from the UAA. It is expected that the UAA would reject a refresh token during a refresh token grant, but it does not (hence the vulnerability). It will continue to issue access tokens to request presenting such refresh tokens, as if the identity provider was still active. As a result, clients with refresh tokens issued through the deactivated identity provider would still have access to Cloud Foundry resources until their refresh token expires (which defaults to 30 days).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-20903"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-28T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "This disclosure regards a vulnerability related to UAA refresh tokens and external identity providers.Assuming that an external identity provider is linked to the UAA, a refresh token is issued to a client on behalf of a user from that identity provider, the administrator of the UAA deactivates the identity provider from the UAA. It is expected that the UAA would reject a refresh token during a refresh token grant, but it does not (hence the vulnerability). It will continue to issue access tokens to request presenting such refresh tokens, as if the identity provider was still active. As a result, clients with refresh tokens issued through the deactivated identity provider would still have access to Cloud Foundry resources until their refresh token expires (which defaults to 30 days).",
  "id": "GHSA-5rqc-wqwj-478f",
  "modified": "2025-02-19T21:31:29Z",
  "published": "2023-03-28T21:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20903"
    },
    {
      "type": "WEB",
      "url": "https://www.cloudfoundry.org/blog/cve-2023-20903-tokens-for-inactivated-idps-are-not-revoked-and-remain-valid-until-expiration"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5V66-M237-HWF7

Vulnerability from github – Published: 2025-08-29 12:31 – Updated: 2025-08-29 16:57
VLAI
Summary
Payload does not invalidate JWTs after log out
Details

Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (which is by default set to 2 hours, but can be changed).

This issue has been fixed in version 3.44.0 of Payload.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "payload"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.44.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@payloadcms/next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.44.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@payloadcms/graphql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.44.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-4643"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-29T16:57:54Z",
    "nvd_published_at": "2025-08-29T10:15:30Z",
    "severity": "MODERATE"
  },
  "details": "Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (which is by default set to 2 hours, but can be changed). \n\nThis issue has been fixed in version 3.44.0 of Payload.",
  "id": "GHSA-5v66-m237-hwf7",
  "modified": "2025-08-29T16:57:54Z",
  "published": "2025-08-29T12:31:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4643"
    },
    {
      "type": "WEB",
      "url": "https://github.com/payloadcms/payload/commit/26d709dda6e512ce347557eaa2057db6e0cbf809"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/en/posts/2025/08/CVE-2025-4643"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/payloadcms/payload"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Payload does not invalidate JWTs after log out"
}

GHSA-5V93-W7MF-HC4Q

Vulnerability from github – Published: 2024-09-10 12:30 – Updated: 2024-09-10 12:30
VLAI
Details

A vulnerability has been identified in SINEMA Remote Connect Client (All versions < V3.2 SP2). The affected application does not expire the user session on reboot without logout. This could allow an attacker to bypass Multi-Factor Authentication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-32006"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-10T10:15:09Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in SINEMA Remote Connect Client (All versions \u003c V3.2 SP2). The affected application does not expire the user session on reboot without logout. This could allow an attacker to bypass Multi-Factor Authentication.",
  "id": "GHSA-5v93-w7mf-hc4q",
  "modified": "2024-09-10T12:30:37Z",
  "published": "2024-09-10T12:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32006"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-417159.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Implementation

Set sessions/credentials expiration date.

No CAPEC attack patterns related to this CWE.