Common Weakness Enumeration

CWE-613

Allowed-with-Review

Insufficient Session Expiration

Abstraction: Base · Status: Incomplete

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

876 vulnerabilities reference this CWE, most recent first.

GHSA-CRF4-J4G9-P5F8

Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2024-07-03 18:41
VLAI
Details

An issue in SurveyKing v1.3.1 allows attackers to execute a session replay attack after a user changes their password.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-35048"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T15:39:38Z",
    "severity": "MODERATE"
  },
  "details": "An issue in SurveyKing v1.3.1 allows attackers to execute a session replay attack after a user changes their password.",
  "id": "GHSA-crf4-j4g9-p5f8",
  "modified": "2024-07-03T18:41:11Z",
  "published": "2024-05-14T18:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35048"
    },
    {
      "type": "WEB",
      "url": "https://github.com/javahuang/SurveyKing/issues/56"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CVG9-CJ93-X2H9

Vulnerability from github – Published: 2022-03-02 00:00 – Updated: 2022-03-17 00:04
VLAI
Details

IBM MQ Appliance 9.2 CD and 9.2 LTS does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 212942.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-38986"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-01T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM MQ Appliance 9.2 CD and 9.2 LTS does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 212942.",
  "id": "GHSA-cvg9-cj93-x2h9",
  "modified": "2022-03-17T00:04:27Z",
  "published": "2022-03-02T00:00:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38986"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/212942"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6560032"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CW7P-Q79F-M2V7

Vulnerability from github – Published: 2021-11-08 18:02 – Updated: 2024-09-24 20:50
VLAI
Summary
incomplete JupyterHub logout with simultaneous JupyterLab sessions
Details

Impact

Users of JupyterLab with JupyterHub who have multiple JupyterLab tabs open in the same browser session, may see incomplete logout from the single-user server, as fresh credentials (for the single-user server only, not the Hub) reinstated after logout, if another active JupyterLab session is open while the logout takes place.

Patches

Upgrade to JupyterHub 1.5. For distributed deployments, it is jupyterhub in the user environment that needs patching. There are no patches necessary in the Hub environment.

Workarounds

The only workaround is to make sure that only one JupyterLab tab is open when you log out.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "jupyterhub"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41247"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-04T17:49:19Z",
    "nvd_published_at": "2021-11-04T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nUsers of JupyterLab with JupyterHub who have multiple JupyterLab tabs open in the same browser session, may see incomplete logout from the single-user server, as fresh credentials (for the single-user server only, not the Hub) reinstated after logout, if another active JupyterLab session is open while the logout takes place.\n\n### Patches\n\nUpgrade to JupyterHub 1.5. For distributed deployments, it is jupyterhub in the _user_ environment that needs patching. There are no patches necessary in the Hub environment.\n\n### Workarounds\n\nThe only workaround is to make sure that only one JupyterLab tab is open when you log out.",
  "id": "GHSA-cw7p-q79f-m2v7",
  "modified": "2024-09-24T20:50:54Z",
  "published": "2021-11-08T18:02:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-cw7p-q79f-m2v7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41247"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jupyterhub/jupyterhub/commit/5ac9e7f73a6e1020ffddc40321fc53336829fe27"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jupyterhub/jupyterhub"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/jupyterhub/PYSEC-2021-386.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "incomplete JupyterHub logout with simultaneous JupyterLab sessions"
}

GHSA-CWH2-RJ8J-GM58

Vulnerability from github – Published: 2024-11-14 15:32 – Updated: 2024-11-14 15:32
VLAI
Details

A vulnerability was found in Apereo CAS 6.6 and classified as problematic. Affected by this issue is some unknown functionality of the file /login?service. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-11208"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-14T14:15:17Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in Apereo CAS 6.6 and classified as problematic. Affected by this issue is some unknown functionality of the file /login?service. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-cwh2-rj8j-gm58",
  "modified": "2024-11-14T15:32:16Z",
  "published": "2024-11-14T15:32:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11208"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/0xArthurSouza/ce3b89887b03cc899d5e8cb6e472b04e"
    },
    {
      "type": "WEB",
      "url": "https://ibb.co/1LxSK2k"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.284522"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.284522"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.437211"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-CXCR-RJ95-H6F4

Vulnerability from github – Published: 2026-02-17 21:31 – Updated: 2026-02-17 21:31
VLAI
Details

IBM Security QRadar EDR 3.12 through 3.12.23 does not invalidate session after a session expiration which could allow an authenticated user to impersonate another user on the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36376"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-17T21:22:14Z",
    "severity": "MODERATE"
  },
  "details": "IBM Security QRadar EDR 3.12 through 3.12.23 does not invalidate session after a session expiration which could allow an authenticated user to impersonate another user on the system.",
  "id": "GHSA-cxcr-rj95-h6f4",
  "modified": "2026-02-17T21:31:14Z",
  "published": "2026-02-17T21:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36376"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7260390"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F24X-5G9Q-753F

Vulnerability from github – Published: 2026-04-14 22:31 – Updated: 2026-04-15 21:06
VLAI
Summary
OAuth2 Proxy's session cookies are not cleared when rendering sign-in page
Details

Impact

A regression introduced in v7.11.0 is preventing OAuth2 Proxy from clearing the session cookie when rendering the sign-in page.

This only impacts deployments that rely on the sign-in page as part of their logout flow. In those setups, a user may be shown the sign-in page while the existing session cookie remains valid, so the browser session is not actually logged out. On shared workstations be it browsers or devices, a subsequent user could continue to use the previous user's authenticated session.

Deployments that use a dedicated logout/sign-out endpoint to terminate sessions are not affected.

Patches

This issue is fixed in v7.15.2.

Workarounds

Do not rely on the sign-in page to clear an existing session. Instead:

  • Use the dedicated logout/sign-out endpoint of OAuth2 Proxy
  • Ensure your application logout flow explicitly clears the OAuth2 Proxy session cookie before redirecting users to the sign-in page
  • If needed, clear the session cookie at the reverse proxy or application layer as a temporary mitigation
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/oauth2-proxy/oauth2-proxy/v7"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.11.0"
            },
            {
              "fixed": "7.15.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34454"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-384",
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T22:31:03Z",
    "nvd_published_at": "2026-04-14T23:16:28Z",
    "severity": "LOW"
  },
  "details": "### Impact\nA regression introduced in [v7.11.0](https://github.com/oauth2-proxy/oauth2-proxy/pull/2605) is preventing OAuth2 Proxy from clearing the session cookie when rendering the sign-in page.\n\nThis only impacts deployments that rely on the sign-in page as part of their logout flow. In those setups, a user may be shown the sign-in page while the existing session cookie remains valid, so the browser session is not actually logged out. On shared workstations be it browsers or devices, a subsequent  user could continue to use the previous user\u0027s authenticated session.\n\nDeployments that use a dedicated logout/sign-out endpoint to terminate sessions are not affected.\n\n### Patches\nThis issue is fixed in v7.15.2.\n\n### Workarounds\nDo not rely on the sign-in page to clear an existing session. Instead:\n\n- Use the dedicated logout/sign-out endpoint of OAuth2 Proxy\n- Ensure your application logout flow explicitly clears the OAuth2 Proxy   session cookie before redirecting users to the sign-in page\n- If needed, clear the session cookie at the reverse proxy or application   layer as a temporary mitigation",
  "id": "GHSA-f24x-5g9q-753f",
  "modified": "2026-04-15T21:06:34Z",
  "published": "2026-04-14T22:31:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-f24x-5g9q-753f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34454"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oauth2-proxy/oauth2-proxy/pull/2605"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/oauth2-proxy/oauth2-proxy"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.15.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OAuth2 Proxy\u0027s session cookies are not cleared when rendering sign-in page"
}

GHSA-F3Q9-V3P2-WX3Q

Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31
VLAI
Details

An issue was discovered in the yh_create_session() function of yubihsm-shell through 2.0.2. The function does not explicitly check the returned session id from the device. An invalid session id would lead to out-of-bounds read and write operations in the session array. This could be used by an attacker to cause a denial of service attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-24387"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-19T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in the yh_create_session() function of yubihsm-shell through 2.0.2. The function does not explicitly check the returned session id from the device. An invalid session id would lead to out-of-bounds read and write operations in the session array. This could be used by an attacker to cause a denial of service attack.",
  "id": "GHSA-f3q9-v3p2-wx3q",
  "modified": "2022-05-24T17:31:13Z",
  "published": "2022-05-24T17:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24387"
    },
    {
      "type": "WEB",
      "url": "https://blog.inhq.net/posts/yubico-libyubihsm-vuln"
    },
    {
      "type": "WEB",
      "url": "https://developers.yubico.com/yubihsm-shell"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Yubico/yubihsm-shell"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y77KQJW76M3PFOBFLBT6DLH2NWHYRNZO"
    },
    {
      "type": "WEB",
      "url": "https://www.yubico.com/support/security-advisories/ysa-2020-06"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-F4HC-MPG9-VM8W

Vulnerability from github – Published: 2025-03-26 12:30 – Updated: 2025-08-25 03:33
VLAI
Details

Session logout could be overwritten in Checkmk GmbH's Checkmk versions <2.3.0p30, <2.2.0p41, and 2.1.0p49 (EOL)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2596"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-26T11:15:39Z",
    "severity": "LOW"
  },
  "details": "Session logout could be overwritten in Checkmk GmbH\u0027s Checkmk versions \u003c2.3.0p30, \u003c2.2.0p41, and 2.1.0p49 (EOL)",
  "id": "GHSA-f4hc-mpg9-vm8w",
  "modified": "2025-08-25T03:33:06Z",
  "published": "2025-03-26T12:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2596"
    },
    {
      "type": "WEB",
      "url": "https://checkmk.com/werk/17808"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-F55R-8RCV-MQCF

Vulnerability from github – Published: 2023-04-28 15:30 – Updated: 2023-11-22 16:31
VLAI
Summary
Concrete CMS missing secure cookie parameters
Details

Concrete CMS (previously concrete5) before 9.2 does not have Secure and HTTP only attributes set for ccmPoll cookies.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "concrete5/concrete5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-28472"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-28T20:40:05Z",
    "nvd_published_at": "2023-04-28T14:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Concrete CMS (previously concrete5) before 9.2 does not have Secure and HTTP only attributes set for ccmPoll cookies.",
  "id": "GHSA-f55r-8rcv-mqcf",
  "modified": "2023-11-22T16:31:00Z",
  "published": "2023-04-28T15:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28472"
    },
    {
      "type": "WEB",
      "url": "https://github.com/concretecms/concretecms/pull/11749"
    },
    {
      "type": "WEB",
      "url": "https://concretecms.com"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/concretecms/concretecms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/concretecms/concretecms/releases/tag/8.5.13"
    },
    {
      "type": "WEB",
      "url": "https://www.concretecms.org/about/project-news/security/2023-11-09-security-blog-about-updated-cves-and-new-release"
    },
    {
      "type": "WEB",
      "url": "https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2023-04-20"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Concrete CMS missing secure cookie parameters"
}

GHSA-F728-PRHW-2G68

Vulnerability from github – Published: 2023-10-31 03:31 – Updated: 2023-10-31 19:39
VLAI
Summary
Insufficient Session Expiration in thorsten/phpmyfaq
Details

Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "thorsten/phpmyfaq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-5865"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-31T19:39:58Z",
    "nvd_published_at": "2023-10-31T01:15:07Z",
    "severity": "HIGH"
  },
  "details": "Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2.",
  "id": "GHSA-f728-prhw-2g68",
  "modified": "2023-10-31T19:39:58Z",
  "published": "2023-10-31T03:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5865"
    },
    {
      "type": "WEB",
      "url": "https://github.com/thorsten/phpmyfaq/commit/5f43786f52c3d517e7665abd25d534e180e08dc5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/thorsten/phpMyFAQ"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/4c4b7395-d9fd-4ca0-98d7-2e20c1249aff"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insufficient Session Expiration in thorsten/phpmyfaq "
}

Mitigation
Implementation

Set sessions/credentials expiration date.

No CAPEC attack patterns related to this CWE.