Common Weakness Enumeration

CWE-613

Allowed-with-Review

Insufficient Session Expiration

Abstraction: Base · Status: Incomplete

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

875 vulnerabilities reference this CWE, most recent first.

GHSA-H9Q8-5GV2-V6MG

Vulnerability from github – Published: 2021-03-12 23:09 – Updated: 2026-02-02 21:01
VLAI
Summary
Potential Session Hijacking
Details

Impact

Potential session hijacking of store customers.

Patches

We recommend to update to the current version 6.3.5.2. You can get the update to 6.3.5.2 regularly via the Auto-Updater or directly via the download overview.

https://www.shopware.com/en/download/#shopware-6

Workarounds

For older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659

For more information

https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-03-2021

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.3.5.1"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "shopware/platform"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.3.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-32710"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-12T22:10:34Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Impact\nPotential session hijacking of store customers.\n\n### Patches\nWe recommend to update to the current version 6.3.5.2. You can get the update to 6.3.5.2 regularly via the Auto-Updater or directly via the download overview.\n\nhttps://www.shopware.com/en/download/#shopware-6\n\n### Workarounds\nFor older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.\n\nhttps://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659\n\n### For more information\nhttps://docs.shopware.com/en/shopware-6-en/security-updates/security-update-03-2021",
  "id": "GHSA-h9q8-5gv2-v6mg",
  "modified": "2026-02-02T21:01:07Z",
  "published": "2021-03-12T23:09:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/shopware/platform/security/advisories/GHSA-h9q8-5gv2-v6mg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32710"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shopware/platform/commit/010c0154bea57c1fca73277c7431d029db7a972e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/shopware/shopware"
    },
    {
      "type": "WEB",
      "url": "https://packagist.org/packages/shopware/platform"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Potential Session Hijacking"
}

GHSA-HGX3-J7FM-PJM3

Vulnerability from github – Published: 2025-12-01 18:30 – Updated: 2025-12-01 21:30
VLAI
Details

nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a a valid session cookie access to privileged endpoints (such as /admin) even after the legitimate user has logged out, enabling session hijacking. Any version above 4.70 that is not 4.80.3 fixes the vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-11699"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-01T16:15:51Z",
    "severity": "HIGH"
  },
  "details": "nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a \na valid session cookie access to privileged endpoints (such as /admin) even after the legitimate user has logged out, enabling session hijacking. Any version above 4.70 that is not 4.80.3 fixes the vulnerability.",
  "id": "GHSA-hgx3-j7fm-pjm3",
  "modified": "2025-12-01T21:30:26Z",
  "published": "2025-12-01T18:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11699"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nopSolutions/nopCommerce/issues/7044"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/fulldisclosure/2025/Aug/14"
    },
    {
      "type": "WEB",
      "url": "https://www.kb.cert.org/vuls/id/633103"
    },
    {
      "type": "WEB",
      "url": "https://www.nopcommerce.com/en/release-notes?srsltid=AfmBOoravPKjN19pm_XZbXZ7GvPhkt8cxlK6794BJRZlY5RxJU_yNoTT"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HJC2-P4MC-RCPR

Vulnerability from github – Published: 2026-04-24 00:31 – Updated: 2026-04-24 00:31
VLAI
Details

A vulnerability exists in SenseLive

X3050’s web management interface due to improper session lifetime enforcement, allowing authenticated sessions to remain active for extended periods without requiring re-authentication. An attacker with access to a previously authenticated session could continue interacting with administrative functions long after legitimate user activity has ceased.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-25720"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-24T00:16:26Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability exists in\u00a0SenseLive\n\nX3050\u2019s web management interface due to improper session lifetime enforcement, allowing authenticated sessions to remain active for extended periods without requiring re-authentication. An attacker with access to a previously authenticated session could continue interacting with administrative functions long after legitimate user activity has ceased.",
  "id": "GHSA-hjc2-p4mc-rcpr",
  "modified": "2026-04-24T00:31:52Z",
  "published": "2026-04-24T00:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25720"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-111-12.json"
    },
    {
      "type": "WEB",
      "url": "https://senselive.io/contact"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-HMPP-GH47-8R55

Vulnerability from github – Published: 2022-05-14 03:30 – Updated: 2022-05-14 03:30
VLAI
Details

Philips ISCV application prior to version 2.3.0 has an insufficient session expiration vulnerability where an attacker could reuse the session of a previously logged in user. This vulnerability exists when using ISCV together with an Electronic Medical Record (EMR) system, where ISCV is in KIOSK mode for multiple users and using Windows authentication. This may allow an attacker to gain unauthorized access to patient health information and potentially modify this information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-5438"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-20T17:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Philips ISCV application prior to version 2.3.0 has an insufficient session expiration vulnerability where an attacker could reuse the session of a previously logged in user. This vulnerability exists when using ISCV together with an Electronic Medical Record (EMR) system, where ISCV is in KIOSK mode for multiple users and using Windows authentication. This may allow an attacker to gain unauthorized access to patient health information and potentially modify this information.",
  "id": "GHSA-hmpp-gh47-8r55",
  "modified": "2022-05-14T03:30:15Z",
  "published": "2022-05-14T03:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5438"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-025-01"
    },
    {
      "type": "WEB",
      "url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/102847"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HMVM-G3WG-H58R

Vulnerability from github – Published: 2023-10-17 03:32 – Updated: 2024-04-04 08:42
VLAI
Details

IBM Security Verify Privilege On-Premises 11.5 could allow a user to obtain sensitive information due to insufficient session expiration. IBM X-Force ID: 199324.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20581"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-17T02:15:09Z",
    "severity": "MODERATE"
  },
  "details": "\nIBM Security Verify Privilege On-Premises 11.5 could allow a user to obtain sensitive information due to insufficient session expiration.  IBM X-Force ID:  199324.\n\n",
  "id": "GHSA-hmvm-g3wg-h58r",
  "modified": "2024-04-04T08:42:15Z",
  "published": "2023-10-17T03:32:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20581"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/199324"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7047202"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HP29-CWPV-2M4X

Vulnerability from github – Published: 2023-10-10 15:30 – Updated: 2024-04-04 08:28
VLAI
Details

An authenticated user's session cookie may remain valid for a limited time after logging out from the BIG-IP Configuration utility on a multi-blade VIPRION platform. 

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-40537"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-10T13:15:20Z",
    "severity": "HIGH"
  },
  "details": "\nAn authenticated user\u0027s session cookie may remain valid for a limited time after logging out from the BIG-IP Configuration utility on a multi-blade VIPRION platform.\u00a0\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\n\n\n\n",
  "id": "GHSA-hp29-cwpv-2m4x",
  "modified": "2024-04-04T08:28:56Z",
  "published": "2023-10-10T15:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40537"
    },
    {
      "type": "WEB",
      "url": "https://my.f5.com/manage/s/article/K29141800"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HP8H-7X69-4WMV

Vulnerability from github – Published: 2024-04-10 17:16 – Updated: 2024-04-11 14:31
VLAI
Summary
zcap has incomplete expiration checks in capability chains.
Details

Impact

When invoking a capability with a chain depth of 2, i.e., it is delegated directly from the root capability, the expires property is not properly checked against the current date or other date param. This can allow invocations outside of the original intended time period. A zcap still cannot be invoked without being able to use the associated private key material.

Patches

@digitalbazaar/zcap v9.0.1 fixes expiration checking.

Workarounds

A zcap could be revoked at any time.

References

https://github.com/digitalbazaar/zcap/pull/82

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@digitalbazaar/zcap"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-31995"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-10T17:16:15Z",
    "nvd_published_at": "2024-04-10T22:15:07Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nWhen invoking a capability with a chain depth of 2, i.e., it is delegated directly from the root capability, the `expires` property is not properly checked against the current date or other `date` param.  This can allow invocations outside of the original intended time period.  A zcap still cannot be invoked without being able to use the associated private key material.\n\n### Patches\n\n`@digitalbazaar/zcap` v9.0.1 fixes expiration checking.\n\n### Workarounds\n\nA zcap could be revoked at any time.\n\n### References\n\nhttps://github.com/digitalbazaar/zcap/pull/82",
  "id": "GHSA-hp8h-7x69-4wmv",
  "modified": "2024-04-11T14:31:30Z",
  "published": "2024-04-10T17:16:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/digitalbazaar/zcap/security/advisories/GHSA-hp8h-7x69-4wmv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31995"
    },
    {
      "type": "WEB",
      "url": "https://github.com/digitalbazaar/zcap/pull/82"
    },
    {
      "type": "WEB",
      "url": "https://github.com/digitalbazaar/zcap/commit/261eea040109b6e25159c88d8ed49d3c37f8fcfe"
    },
    {
      "type": "WEB",
      "url": "https://github.com/digitalbazaar/zcap/commit/55f8549c80124b85dfb0f3dcf83f2c63f42532e5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/digitalbazaar/zcap"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "zcap has incomplete expiration checks in capability chains."
}

GHSA-HR7J-63V7-VJ7G

Vulnerability from github – Published: 2026-02-17 17:15 – Updated: 2026-02-17 17:15
VLAI
Summary
Pterodactyl Panel's SFTP sessions remain active after user account deletion or password change
Details

Summary

Deleting a user account with SFTP access or changing the user's password does not immediately terminate existing SFTP sessions, allowing continued filesystem access after credentials are revoked. This can result in unintended and unauthorized access to server files even after administrators believe access has been fully invalidated.

Details

When a user with SFTP access is deleted from the Pterodactyl Panel or when the user's password is changed while one or more SFTP connections are active, those existing connections remain fully functional.

Neither account deletion nor password change invalidates the authentication state of already-established SFTP sessions. As a result, the active SFTP connection pool continues to allow read and write operations until the client disconnects or the session times out.

This behavior occurs even when the password is changed by an administrator through the panel, meaning credential rotation does not revoke active access.

This suggests that active SFTP sessions are not tracked or forcefully terminated on credential revocation events. This effectively prevents administrators from responding to credential compromise incidents in real time.

PoC

Scenario 1: Account deletion 1. Create a user with SFTP access to a server. 2. Connect to the server via SFTP using any SFTP client (e.g. sftp, FileZilla). 3. Keep the SFTP session open and active. 4. Delete the user account from the Pterodactyl Panel. 5. Continue performing file operations through the already-established SFTP connection.

Result: The SFTP session remains active and usable despite the user account being deleted.

Scenario 2: Password change 1. Create a user with SFTP access to a server. 2. Establish an active SFTP connection. 3. Change the user's password (including via administrator panel). 4. Continue performing file operations using the existing SFTP connection.

Result: The SFTP session remains active and usable even after the password has been changed.

Impact

This issue prevents immediate revocation of compromised credentials. Vulnerability type: Access control / session invalidation issue

Impacted parties:

  1. Server administrators
  2. Hosting providers using Pterodactyl Panel

Security impact:

Deleted users may retain filesystem access longer than intended, which can lead to:

  1. Unauthorized data access
  2. Data modification or deletion
  3. Compliance and security policy violations
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "pterodactyl/panel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.12.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/pterodactyl/wings"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.12.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-17T17:15:18Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nDeleting a user account with SFTP access or changing the user\u0027s password does not immediately terminate existing SFTP sessions, allowing continued filesystem access after credentials are revoked.\nThis can result in unintended and unauthorized access to server files even after administrators believe access has been fully invalidated.\n\n\n### Details\nWhen a user with SFTP access is deleted from the Pterodactyl Panel or when the user\u0027s password is changed while one or more SFTP connections are active, those existing connections remain fully functional.\n\nNeither account deletion nor password change invalidates the authentication state of already-established SFTP sessions. As a result, the active SFTP connection pool continues to allow read and write operations until the client disconnects or the session times out.\n\nThis behavior occurs even when the password is changed by an administrator through the panel, meaning credential rotation does not revoke active access.\n\nThis suggests that active SFTP sessions are not tracked or forcefully terminated on credential revocation events. This effectively prevents administrators from responding to credential compromise incidents in real time.\n\n\n### PoC\nScenario 1: Account deletion\n1. Create a user with SFTP access to a server.\n2. Connect to the server via SFTP using any SFTP client (e.g. sftp, FileZilla).\n3. Keep the SFTP session open and active.\n4. Delete the user account from the Pterodactyl Panel.\n5. Continue performing file operations through the already-established SFTP connection.\n\nResult:\nThe SFTP session remains active and usable despite the user account being deleted.\n\nScenario 2: Password change\n1. Create a user with SFTP access to a server.\n2. Establish an active SFTP connection.\n3. Change the user\u0027s password (including via administrator panel).\n4. Continue performing file operations using the existing SFTP connection.\n\nResult:\nThe SFTP session remains active and usable even after the password has been changed.\n\n\n### Impact\nThis issue prevents immediate revocation of compromised credentials. Vulnerability type: Access control / session invalidation issue\n\nImpacted parties:\n\n1. Server administrators\n2. Hosting providers using Pterodactyl Panel\n\nSecurity impact:\n\nDeleted users may retain filesystem access longer than intended, which can lead to:\n\n1. Unauthorized data access\n2. Data modification or deletion\n3. Compliance and security policy violations",
  "id": "GHSA-hr7j-63v7-vj7g",
  "modified": "2026-02-17T17:15:19Z",
  "published": "2026-02-17T17:15:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-hr7j-63v7-vj7g"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pterodactyl/panel/commit/0e74f3aadec89405751ec602c77fc1d030a417c0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pterodactyl/panel"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pterodactyl/panel/releases/tag/v1.12.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Pterodactyl Panel\u0027s SFTP sessions remain active after user account deletion or password change"
}

GHSA-HV2J-4G9F-CHQP

Vulnerability from github – Published: 2025-06-26 21:31 – Updated: 2025-07-17 15:32
VLAI
Details

MICROSENS NMP Web+ contain JSON Web Tokens (JWT) that do not expire, which could allow an attacker to gain access to the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-49152"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-25T17:15:38Z",
    "severity": "HIGH"
  },
  "details": "MICROSENS NMP Web+\u00a0contain JSON Web Tokens (JWT) that do not expire, which could allow an attacker to gain access to the system.",
  "id": "GHSA-hv2j-4g9f-chqp",
  "modified": "2025-07-17T15:32:09Z",
  "published": "2025-06-26T21:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49152"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-07"
    },
    {
      "type": "WEB",
      "url": "https://www.microsens.com/support/downloads/nmp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-HVM9-WC8J-MGRC

Vulnerability from github – Published: 2024-12-18 18:19 – Updated: 2024-12-18 18:19
VLAI
Summary
TShock Security Escalation Exploit
Details

Impact

An issue with the way OTAPI manages client connections results in stale UUIDs remaining on RemoteClient instances after a player disconnects.

Because of this, if the following conditions are met a player may assume the login state of a previously connected player: 1. The server has UUID login enabled 2. An authenticated player disconnects 3. A subsequent player connects with a modified client that does not send the ClientUUID#68 packet during connection 4. The server assigns the same RemoteClient object that belonged to the originally authenticated player to the newly connected player

Patches

TShock 5.2.1 hotfixes this issue. A more robust fix will be made to OTAPI itself.

Workarounds

Implement a RemoteClient reset event handler in a plugin like so:

public override void Initialize()
{
        On.Terraria.RemoteClient.Reset += RemoteClient_Reset;
}

private static void RemoteClient_Reset(On.Terraria.RemoteClient.orig_Reset orig, RemoteClient client)
{
    client.ClientUUID = null;
        orig(client);
}
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "TShock"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.3.21"
            },
            {
              "fixed": "5.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-305",
      "CWE-613",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-18T18:19:12Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\nAn issue with the way OTAPI manages client connections results in stale UUIDs remaining on `RemoteClient` instances after a player disconnects.\n\nBecause of this, if the following conditions are met a player may assume the login state of a previously connected player:\n1. The server has UUID login enabled\n2. An authenticated player disconnects\n3. A subsequent player connects with a modified client that does not send the `ClientUUID#68` packet during connection\n4. The server assigns the same `RemoteClient` object that belonged to the originally authenticated player to the newly connected player\n\n\n### Patches\nTShock 5.2.1 hotfixes this issue. A more robust fix will be made to OTAPI itself.\n\n### Workarounds\nImplement a RemoteClient reset event handler in a plugin like so:\n```csharp\npublic override void Initialize()\n{\n        On.Terraria.RemoteClient.Reset += RemoteClient_Reset;\n}\n\nprivate static void RemoteClient_Reset(On.Terraria.RemoteClient.orig_Reset orig, RemoteClient client)\n{\n\tclient.ClientUUID = null;\n        orig(client);\n}\n```\n\n",
  "id": "GHSA-hvm9-wc8j-mgrc",
  "modified": "2024-12-18T18:19:12Z",
  "published": "2024-12-18T18:19:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Pryaxis/TShock/security/advisories/GHSA-hvm9-wc8j-mgrc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Pryaxis/TShock/commit/5075997264b48e27960e3446a948ecb0ea0f5a03"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Pryaxis/TShock"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "TShock Security Escalation Exploit"
}

Mitigation
Implementation

Set sessions/credentials expiration date.

No CAPEC attack patterns related to this CWE.