CWE-613
Allowed-with-ReviewInsufficient Session Expiration
Abstraction: Base · Status: Incomplete
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
876 vulnerabilities reference this CWE, most recent first.
GHSA-CRF4-J4G9-P5F8
Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2024-07-03 18:41An issue in SurveyKing v1.3.1 allows attackers to execute a session replay attack after a user changes their password.
{
"affected": [],
"aliases": [
"CVE-2024-35048"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T15:39:38Z",
"severity": "MODERATE"
},
"details": "An issue in SurveyKing v1.3.1 allows attackers to execute a session replay attack after a user changes their password.",
"id": "GHSA-crf4-j4g9-p5f8",
"modified": "2024-07-03T18:41:11Z",
"published": "2024-05-14T18:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35048"
},
{
"type": "WEB",
"url": "https://github.com/javahuang/SurveyKing/issues/56"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CVG9-CJ93-X2H9
Vulnerability from github – Published: 2022-03-02 00:00 – Updated: 2022-03-17 00:04IBM MQ Appliance 9.2 CD and 9.2 LTS does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 212942.
{
"affected": [],
"aliases": [
"CVE-2021-38986"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-01T17:15:00Z",
"severity": "MODERATE"
},
"details": "IBM MQ Appliance 9.2 CD and 9.2 LTS does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 212942.",
"id": "GHSA-cvg9-cj93-x2h9",
"modified": "2022-03-17T00:04:27Z",
"published": "2022-03-02T00:00:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38986"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/212942"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6560032"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CW7P-Q79F-M2V7
Vulnerability from github – Published: 2021-11-08 18:02 – Updated: 2024-09-24 20:50Impact
Users of JupyterLab with JupyterHub who have multiple JupyterLab tabs open in the same browser session, may see incomplete logout from the single-user server, as fresh credentials (for the single-user server only, not the Hub) reinstated after logout, if another active JupyterLab session is open while the logout takes place.
Patches
Upgrade to JupyterHub 1.5. For distributed deployments, it is jupyterhub in the user environment that needs patching. There are no patches necessary in the Hub environment.
Workarounds
The only workaround is to make sure that only one JupyterLab tab is open when you log out.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "jupyterhub"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-41247"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2021-11-04T17:49:19Z",
"nvd_published_at": "2021-11-04T18:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nUsers of JupyterLab with JupyterHub who have multiple JupyterLab tabs open in the same browser session, may see incomplete logout from the single-user server, as fresh credentials (for the single-user server only, not the Hub) reinstated after logout, if another active JupyterLab session is open while the logout takes place.\n\n### Patches\n\nUpgrade to JupyterHub 1.5. For distributed deployments, it is jupyterhub in the _user_ environment that needs patching. There are no patches necessary in the Hub environment.\n\n### Workarounds\n\nThe only workaround is to make sure that only one JupyterLab tab is open when you log out.",
"id": "GHSA-cw7p-q79f-m2v7",
"modified": "2024-09-24T20:50:54Z",
"published": "2021-11-08T18:02:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-cw7p-q79f-m2v7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41247"
},
{
"type": "WEB",
"url": "https://github.com/jupyterhub/jupyterhub/commit/5ac9e7f73a6e1020ffddc40321fc53336829fe27"
},
{
"type": "PACKAGE",
"url": "https://github.com/jupyterhub/jupyterhub"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/jupyterhub/PYSEC-2021-386.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "incomplete JupyterHub logout with simultaneous JupyterLab sessions"
}
GHSA-CWH2-RJ8J-GM58
Vulnerability from github – Published: 2024-11-14 15:32 – Updated: 2024-11-14 15:32A vulnerability was found in Apereo CAS 6.6 and classified as problematic. Affected by this issue is some unknown functionality of the file /login?service. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2024-11208"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-14T14:15:17Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Apereo CAS 6.6 and classified as problematic. Affected by this issue is some unknown functionality of the file /login?service. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-cwh2-rj8j-gm58",
"modified": "2024-11-14T15:32:16Z",
"published": "2024-11-14T15:32:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11208"
},
{
"type": "WEB",
"url": "https://gist.github.com/0xArthurSouza/ce3b89887b03cc899d5e8cb6e472b04e"
},
{
"type": "WEB",
"url": "https://ibb.co/1LxSK2k"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.284522"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.284522"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.437211"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-CXCR-RJ95-H6F4
Vulnerability from github – Published: 2026-02-17 21:31 – Updated: 2026-02-17 21:31IBM Security QRadar EDR 3.12 through 3.12.23 does not invalidate session after a session expiration which could allow an authenticated user to impersonate another user on the system.
{
"affected": [],
"aliases": [
"CVE-2025-36376"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-17T21:22:14Z",
"severity": "MODERATE"
},
"details": "IBM Security QRadar EDR 3.12 through 3.12.23 does not invalidate session after a session expiration which could allow an authenticated user to impersonate another user on the system.",
"id": "GHSA-cxcr-rj95-h6f4",
"modified": "2026-02-17T21:31:14Z",
"published": "2026-02-17T21:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36376"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7260390"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-F24X-5G9Q-753F
Vulnerability from github – Published: 2026-04-14 22:31 – Updated: 2026-04-15 21:06Impact
A regression introduced in v7.11.0 is preventing OAuth2 Proxy from clearing the session cookie when rendering the sign-in page.
This only impacts deployments that rely on the sign-in page as part of their logout flow. In those setups, a user may be shown the sign-in page while the existing session cookie remains valid, so the browser session is not actually logged out. On shared workstations be it browsers or devices, a subsequent user could continue to use the previous user's authenticated session.
Deployments that use a dedicated logout/sign-out endpoint to terminate sessions are not affected.
Patches
This issue is fixed in v7.15.2.
Workarounds
Do not rely on the sign-in page to clear an existing session. Instead:
- Use the dedicated logout/sign-out endpoint of OAuth2 Proxy
- Ensure your application logout flow explicitly clears the OAuth2 Proxy session cookie before redirecting users to the sign-in page
- If needed, clear the session cookie at the reverse proxy or application layer as a temporary mitigation
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/oauth2-proxy/oauth2-proxy/v7"
},
"ranges": [
{
"events": [
{
"introduced": "7.11.0"
},
{
"fixed": "7.15.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34454"
],
"database_specific": {
"cwe_ids": [
"CWE-384",
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-14T22:31:03Z",
"nvd_published_at": "2026-04-14T23:16:28Z",
"severity": "LOW"
},
"details": "### Impact\nA regression introduced in [v7.11.0](https://github.com/oauth2-proxy/oauth2-proxy/pull/2605) is preventing OAuth2 Proxy from clearing the session cookie when rendering the sign-in page.\n\nThis only impacts deployments that rely on the sign-in page as part of their logout flow. In those setups, a user may be shown the sign-in page while the existing session cookie remains valid, so the browser session is not actually logged out. On shared workstations be it browsers or devices, a subsequent user could continue to use the previous user\u0027s authenticated session.\n\nDeployments that use a dedicated logout/sign-out endpoint to terminate sessions are not affected.\n\n### Patches\nThis issue is fixed in v7.15.2.\n\n### Workarounds\nDo not rely on the sign-in page to clear an existing session. Instead:\n\n- Use the dedicated logout/sign-out endpoint of OAuth2 Proxy\n- Ensure your application logout flow explicitly clears the OAuth2 Proxy session cookie before redirecting users to the sign-in page\n- If needed, clear the session cookie at the reverse proxy or application layer as a temporary mitigation",
"id": "GHSA-f24x-5g9q-753f",
"modified": "2026-04-15T21:06:34Z",
"published": "2026-04-14T22:31:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-f24x-5g9q-753f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34454"
},
{
"type": "WEB",
"url": "https://github.com/oauth2-proxy/oauth2-proxy/pull/2605"
},
{
"type": "PACKAGE",
"url": "https://github.com/oauth2-proxy/oauth2-proxy"
},
{
"type": "WEB",
"url": "https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.15.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "OAuth2 Proxy\u0027s session cookies are not cleared when rendering sign-in page"
}
GHSA-F3Q9-V3P2-WX3Q
Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31An issue was discovered in the yh_create_session() function of yubihsm-shell through 2.0.2. The function does not explicitly check the returned session id from the device. An invalid session id would lead to out-of-bounds read and write operations in the session array. This could be used by an attacker to cause a denial of service attack.
{
"affected": [],
"aliases": [
"CVE-2020-24387"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-19T20:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in the yh_create_session() function of yubihsm-shell through 2.0.2. The function does not explicitly check the returned session id from the device. An invalid session id would lead to out-of-bounds read and write operations in the session array. This could be used by an attacker to cause a denial of service attack.",
"id": "GHSA-f3q9-v3p2-wx3q",
"modified": "2022-05-24T17:31:13Z",
"published": "2022-05-24T17:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24387"
},
{
"type": "WEB",
"url": "https://blog.inhq.net/posts/yubico-libyubihsm-vuln"
},
{
"type": "WEB",
"url": "https://developers.yubico.com/yubihsm-shell"
},
{
"type": "WEB",
"url": "https://github.com/Yubico/yubihsm-shell"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y77KQJW76M3PFOBFLBT6DLH2NWHYRNZO"
},
{
"type": "WEB",
"url": "https://www.yubico.com/support/security-advisories/ysa-2020-06"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-F4HC-MPG9-VM8W
Vulnerability from github – Published: 2025-03-26 12:30 – Updated: 2025-08-25 03:33Session logout could be overwritten in Checkmk GmbH's Checkmk versions <2.3.0p30, <2.2.0p41, and 2.1.0p49 (EOL)
{
"affected": [],
"aliases": [
"CVE-2025-2596"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-26T11:15:39Z",
"severity": "LOW"
},
"details": "Session logout could be overwritten in Checkmk GmbH\u0027s Checkmk versions \u003c2.3.0p30, \u003c2.2.0p41, and 2.1.0p49 (EOL)",
"id": "GHSA-f4hc-mpg9-vm8w",
"modified": "2025-08-25T03:33:06Z",
"published": "2025-03-26T12:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2596"
},
{
"type": "WEB",
"url": "https://checkmk.com/werk/17808"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-F55R-8RCV-MQCF
Vulnerability from github – Published: 2023-04-28 15:30 – Updated: 2023-11-22 16:31Concrete CMS (previously concrete5) before 9.2 does not have Secure and HTTP only attributes set for ccmPoll cookies.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "concrete5/concrete5"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-28472"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2023-04-28T20:40:05Z",
"nvd_published_at": "2023-04-28T14:15:10Z",
"severity": "MODERATE"
},
"details": "Concrete CMS (previously concrete5) before 9.2 does not have Secure and HTTP only attributes set for ccmPoll cookies.",
"id": "GHSA-f55r-8rcv-mqcf",
"modified": "2023-11-22T16:31:00Z",
"published": "2023-04-28T15:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28472"
},
{
"type": "WEB",
"url": "https://github.com/concretecms/concretecms/pull/11749"
},
{
"type": "WEB",
"url": "https://concretecms.com"
},
{
"type": "PACKAGE",
"url": "https://github.com/concretecms/concretecms"
},
{
"type": "WEB",
"url": "https://github.com/concretecms/concretecms/releases/tag/8.5.13"
},
{
"type": "WEB",
"url": "https://www.concretecms.org/about/project-news/security/2023-11-09-security-blog-about-updated-cves-and-new-release"
},
{
"type": "WEB",
"url": "https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2023-04-20"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Concrete CMS missing secure cookie parameters"
}
GHSA-F728-PRHW-2G68
Vulnerability from github – Published: 2023-10-31 03:31 – Updated: 2023-10-31 19:39Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "thorsten/phpmyfaq"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-5865"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-31T19:39:58Z",
"nvd_published_at": "2023-10-31T01:15:07Z",
"severity": "HIGH"
},
"details": "Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2.",
"id": "GHSA-f728-prhw-2g68",
"modified": "2023-10-31T19:39:58Z",
"published": "2023-10-31T03:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5865"
},
{
"type": "WEB",
"url": "https://github.com/thorsten/phpmyfaq/commit/5f43786f52c3d517e7665abd25d534e180e08dc5"
},
{
"type": "PACKAGE",
"url": "https://github.com/thorsten/phpMyFAQ"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/4c4b7395-d9fd-4ca0-98d7-2e20c1249aff"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "Insufficient Session Expiration in thorsten/phpmyfaq "
}
Mitigation
Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.