Common Weakness Enumeration

CWE-613

Allowed-with-Review

Insufficient Session Expiration

Abstraction: Base · Status: Incomplete

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

876 vulnerabilities reference this CWE, most recent first.

GHSA-FJ52-5G4H-GMQ8

Vulnerability from github – Published: 2026-04-14 23:39 – Updated: 2026-04-14 23:39
VLAI
Summary
pyLoad's Session Not Invalidated After Permission Changes
Details

Summary

The pyload application does not properly invalidate or modify sessions upon changes made to a user's permissions.

Details

Whenever an administrator changes the permissions a specific account has, they do not expect that account still being able to access data that their new permissions do not allow. This is not the case for the pyload application, as a user with a valid session can still perform the actions.

PoC

Take a user with all the permissions, as shown below. image

We now log in as this user. image

Let us now take away all the permissions. image

The logged in session can still be used to access everything in the application. image

Impact

Should permissions be taken away, then the user is expected not to be able to execute the actions belonging to those actions anymore.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pyload-ng"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.5.0b3.dev97"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T23:39:25Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Summary\nThe `pyload` application does not properly invalidate or modify sessions upon changes made to a user\u0027s permissions.\n\n### Details\nWhenever an administrator changes the permissions a specific account has, they do not expect that account still being able to access data that their new permissions do not allow. This is not the case for the `pyload` application, as a user with a valid session can still perform the actions.\n\n### PoC\nTake a user with all the permissions, as shown below.\n![image](https://user-images.githubusercontent.com/44903767/294956335-0e4da84f-bf9a-42c8-87f1-f5ff35967c63.png)\n\nWe now log in as this user.\n![image](https://user-images.githubusercontent.com/44903767/294956539-ac6805fe-957d-4289-8ca9-2f3b6b2878a3.png)\n\nLet us now take away all the permissions.\n![image](https://user-images.githubusercontent.com/44903767/294956689-757e6e08-03fd-42eb-b4a5-1ceefa6c24ed.png)\n\nThe logged in session can still be used to access everything in the application.\n![image](https://user-images.githubusercontent.com/44903767/294956943-fa0f23c0-a28c-4eed-89d6-1cc074feda6d.png)\n\n### Impact\nShould permissions be taken away, then the user is expected not to be able to execute the actions belonging to those actions anymore.",
  "id": "GHSA-fj52-5g4h-gmq8",
  "modified": "2026-04-14T23:39:25Z",
  "published": "2026-04-14T23:39:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pyload/pyload/security/advisories/GHSA-fj52-5g4h-gmq8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pyload/pyload/commit/e95804fb0d06cbb07d2ba380fc494d9ff89b68c1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pyload/pyload"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "pyLoad\u0027s Session Not Invalidated After Permission Changes"
}

GHSA-FJFH-84XH-5HV3

Vulnerability from github – Published: 2022-08-02 00:00 – Updated: 2022-08-09 00:00
VLAI
Details

NLnet Labs Unbound, up to and including version 1.16.1, is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a rogue domain name when the cached delegation information is about to expire. The rogue nameserver delays the response so that the cached delegation information is expired. Upon receiving the delayed answer containing the delegation information, Unbound overwrites the now expired entries. This action can be repeated when the delegation information is about to expire making the rogue delegation information ever-updating. From version 1.16.2 on, Unbound stores the start time for a query and uses that to decide if the cached delegation information can be overwritten.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-30699"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-01T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "NLnet Labs Unbound, up to and including version 1.16.1, is vulnerable to a novel type of the \"ghost domain names\" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a rogue domain name when the cached delegation information is about to expire. The rogue nameserver delays the response so that the cached delegation information is expired. Upon receiving the delayed answer containing the delegation information, Unbound overwrites the now expired entries. This action can be repeated when the delegation information is about to expire making the rogue delegation information ever-updating. From version 1.16.2 on, Unbound stores the start time for a query and uses that to decide if the cached delegation information can be overwritten.",
  "id": "GHSA-fjfh-84xh-5hv3",
  "modified": "2022-08-09T00:00:27Z",
  "published": "2022-08-02T00:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30699"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00024.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5L3ZFWZZFPBIL654BG75RWXUMPFQJ5EC"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D35CX4SCZVNKZTWJXPDFTHWZHINMGEZD"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202212-02"
    },
    {
      "type": "WEB",
      "url": "https://www.nlnetlabs.nl/downloads/unbound/CVE-2022-30698_CVE-2022-30699.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FJJV-535C-93P3

Vulnerability from github – Published: 2025-07-28 21:31 – Updated: 2025-07-28 21:31
VLAI
Details

Improper session invalidation in the component /bbdms/change-password.php of PHPGurukul Blood Bank & Donor Management System v2.4 allows attackers to execute a session hijacking attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-50487"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-28T19:15:42Z",
    "severity": "HIGH"
  },
  "details": "Improper session invalidation in the component /bbdms/change-password.php of PHPGurukul Blood Bank \u0026 Donor Management System v2.4 allows attackers to execute a session hijacking attack.",
  "id": "GHSA-fjjv-535c-93p3",
  "modified": "2025-07-28T21:31:34Z",
  "published": "2025-07-28T21:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50487"
    },
    {
      "type": "WEB",
      "url": "https://github.com/VasilVK/CVE/tree/main/CVE-2025-50487"
    },
    {
      "type": "WEB",
      "url": "http://blood.com"
    },
    {
      "type": "WEB",
      "url": "http://phpgurukul.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FMQH-2M79-343W

Vulnerability from github – Published: 2025-05-12 18:31 – Updated: 2025-05-12 18:31
VLAI
Details

A suspended or recently logged-out user could continue to interact with Blueframe until the time-out period occurred.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-46741"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-12T17:15:47Z",
    "severity": "MODERATE"
  },
  "details": "A suspended or recently logged-out user could continue to interact with Blueframe until the time-out period occurred.",
  "id": "GHSA-fmqh-2m79-343w",
  "modified": "2025-05-12T18:31:47Z",
  "published": "2025-05-12T18:31:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46741"
    },
    {
      "type": "WEB",
      "url": "https://selinc.com/products/software/latest-software-versions"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FMQW-VQH5-CWQ9

Vulnerability from github – Published: 2019-12-02 18:19 – Updated: 2021-08-19 16:03
VLAI
Summary
Apache NiFi user log out issue
Details

When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.nifi:nifi-web-security"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.3.0"
            },
            {
              "fixed": "1.10.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.nifi:nifi-web-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.3.0"
            },
            {
              "fixed": "1.10.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-12421"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2019-12-02T17:32:47Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user\u0027s client-side token to be used for up to 12 hours after logging out to make API requests to NiFi.",
  "id": "GHSA-fmqw-vqh5-cwq9",
  "modified": "2021-08-19T16:03:16Z",
  "published": "2019-12-02T18:19:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12421"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/nifi/pull/3362"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/nifi/commit/cf6f5172503ce438c6c22c334c9367f774db7b24"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://nifi.apache.org/security.html#CVE-2019-12421"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache NiFi user log out issue"
}

GHSA-FP3Q-9278-8PPC

Vulnerability from github – Published: 2022-05-24 17:35 – Updated: 2022-10-02 00:00
VLAI
Details

IBM Cloud Pak for Security 1.3.0.1(CP4S) does not invalidate session after logout which could allow an authenticated user to obtain sensitive information from the previous session. IBM X-Force ID: 186789.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-4696"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-30T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Cloud Pak for Security 1.3.0.1(CP4S) does not invalidate session after logout which could allow an authenticated user to obtain sensitive information from the previous session. IBM X-Force ID: 186789.",
  "id": "GHSA-fp3q-9278-8ppc",
  "modified": "2022-10-02T00:00:33Z",
  "published": "2022-05-24T17:35:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4696"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/186789"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6372528"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FP6Q-GCCW-7QQM

Vulnerability from github – Published: 2024-10-22 17:55 – Updated: 2024-10-22 19:22
VLAI
Summary
Umbraco CMS logout page displayed before session expiration
Details

Impact

The Backoffice displays the logout page with a session timeout message before the server session has fully expired, causing users to believe they have been logged out approximately 30 seconds before they actually are.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Umbraco.CMS"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.0.0"
            },
            {
              "fixed": "13.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Umbraco.CMS"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.8.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "UmbracoCMS"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.18.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-48926"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-22T17:55:01Z",
    "nvd_published_at": "2024-10-22T16:15:08Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nThe Backoffice displays the logout page with a session timeout message before the server session has fully expired, causing users to believe they have been logged out approximately 30 seconds before they actually are.\n",
  "id": "GHSA-fp6q-gccw-7qqm",
  "modified": "2024-10-22T19:22:29Z",
  "published": "2024-10-22T17:55:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-fp6q-gccw-7qqm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48926"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/umbraco/Umbraco-CMS"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Umbraco CMS logout page displayed before session expiration"
}

GHSA-FPCR-4RR5-HPCP

Vulnerability from github – Published: 2022-05-24 17:21 – Updated: 2026-02-10 14:16
VLAI
Summary
Mattermost Server vulnerable to user account takeover when Single Sign-On OAuth2 is used
Details

An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when Single Sign-On OAuth2 is used. An attacker could claim somebody else's account.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.9.2-0.20170714134023-b17fca0d5ee7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.10.0"
            },
            {
              "fixed": "3.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-18906"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-06T22:42:23Z",
    "nvd_published_at": "2020-06-19T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when Single Sign-On OAuth2 is used. An attacker could claim somebody else\u0027s account.",
  "id": "GHSA-fpcr-4rr5-hpcp",
  "modified": "2026-02-10T14:16:10Z",
  "published": "2022-05-24T17:21:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18906"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/mattermost/commit/259ad46f30d0fac2f7c5c14f3b76b2170f7e90c7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/mattermost/commit/b17fca0d5ee7557e3df1cf1d1da8bd749859e35f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/mattermost/commit/fbc170733e86f09b46ba754dd03304733d2f482f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mattermost/mattermost"
    },
    {
      "type": "WEB",
      "url": "https://mattermost.com/security-updates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mattermost Server vulnerable to user account takeover when Single Sign-On OAuth2 is used"
}

GHSA-FPG4-3688-Q56C

Vulnerability from github – Published: 2024-02-27 03:31 – Updated: 2024-08-16 18:30
VLAI
Details

An issue was discovered in Linksys Router E1700 1.0.04 (build 3), allows authenticated attackers to escalate privileges via a crafted GET request to the /goform/* URI or via the ExportSettings function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-22543"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-27T01:15:06Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Linksys Router E1700 1.0.04 (build 3), allows authenticated attackers to escalate privileges via a crafted GET request to the /goform/* URI or via the ExportSettings function.",
  "id": "GHSA-fpg4-3688-q56c",
  "modified": "2024-08-16T18:30:55Z",
  "published": "2024-02-27T03:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22543"
    },
    {
      "type": "WEB",
      "url": "https://mat4mee.notion.site/Leaked-SessionID-can-lead-to-authentication-bypass-on-the-Linksys-Router-E1700-f56f9c4b15e7443fa237bd1b101a18d2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FPRX-3CV4-96VC

Vulnerability from github – Published: 2024-07-23 09:30 – Updated: 2025-07-10 18:31
VLAI
Details

On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns "Authorization" as the front-end authentication credential. "Authorization" can still initiate requests and access data even after logout.

Mitigation:

all users should upgrade to 2.1.4

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-29070"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-23T09:15:02Z",
    "severity": "CRITICAL"
  },
  "details": "On versions before 2.1.4,\u00a0session is not invalidated after logout. When the user logged in successfully, the Backend service returns \"Authorization\" as the front-end authentication credential. \"Authorization\" can still initiate requests and access data even after logout.\n\nMitigation:\n\nall users should upgrade to 2.1.4",
  "id": "GHSA-fprx-3cv4-96vc",
  "modified": "2025-07-10T18:31:13Z",
  "published": "2024-07-23T09:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29070"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/zslblrz1l0n9t67mqdv42yv75ncfn9zl"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/07/22/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Set sessions/credentials expiration date.

No CAPEC attack patterns related to this CWE.