CWE-613
Allowed-with-ReviewInsufficient Session Expiration
Abstraction: Base · Status: Incomplete
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
874 vulnerabilities reference this CWE, most recent first.
GHSA-V8FQ-GQ9J-3V7H
Vulnerability from github – Published: 2022-05-17 04:31 – Updated: 2024-11-26 18:34The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issued_at value for UUID v2 tokens, which allows remote authenticated users to bypass the token expiration and retain access via a verification (1) GET or (2) HEAD request to v3/auth/tokens/.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "keystone"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.0a0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2014-5252"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-14T21:16:58Z",
"nvd_published_at": "2014-08-25T14:55:00Z",
"severity": "HIGH"
},
"details": "The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issued_at value for UUID v2 tokens, which allows remote authenticated users to bypass the token expiration and retain access via a verification (1) GET or (2) HEAD request to v3/auth/tokens/.",
"id": "GHSA-v8fq-gq9j-3v7h",
"modified": "2024-11-26T18:34:19Z",
"published": "2022-05-17T04:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-5252"
},
{
"type": "WEB",
"url": "https://github.com/openstack/keystone/commit/556fb860311675fc437585651e4602b2908451eb"
},
{
"type": "WEB",
"url": "https://github.com/openstack/keystone/commit/a4c73e4382cb062aa9f30fe1960d5014d3c49cc2"
},
{
"type": "WEB",
"url": "https://github.com/openstack/keystone/commit/bdb88c662ac2035f9b0d8a229a5db5f60f5f16ae"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/keystone/+bug/1348820"
},
{
"type": "PACKAGE",
"url": "https://github.com/openstack/keystone"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/keystone/PYSEC-2014-108.yaml"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1121.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1122.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2014/08/15/6"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2324-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenStack Identity (Keystone) UUID v2 tokens does not expire with revocation events"
}
GHSA-VC8Q-VV59-F54C
Vulnerability from github – Published: 2022-08-20 00:00 – Updated: 2026-07-05 00:31Mealie1.0.0beta3 does not terminate download tokens after a user logs out, allowing attackers to perform a man-in-the-middle attack via a crafted GET request.
{
"affected": [],
"aliases": [
"CVE-2022-34624"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-19T14:15:00Z",
"severity": "MODERATE"
},
"details": "Mealie1.0.0beta3 does not terminate download tokens after a user logs out, allowing attackers to perform a man-in-the-middle attack via a crafted GET request.",
"id": "GHSA-vc8q-vv59-f54c",
"modified": "2026-07-05T00:31:35Z",
"published": "2022-08-20T00:00:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34624"
},
{
"type": "WEB",
"url": "https://gainsec.com/2022/08/19/cve-2022-34615-cve-2022-34621-cve-2022-34623-cve-2022-34624"
},
{
"type": "WEB",
"url": "http://hkotel.com"
},
{
"type": "WEB",
"url": "http://mealie.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VCPX-24GH-52MR
Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35HCL iControl was affected by Inadequate Session Timeout vulnerability. The vulnerability involves a security risk where a web application fails to automatically terminate user sessions after a period of inactivity
{
"affected": [],
"aliases": [
"CVE-2025-62340"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-17T13:19:15Z",
"severity": "LOW"
},
"details": "HCL iControl was affected by Inadequate Session Timeout vulnerability. The vulnerability involves a security risk where a web application fails to automatically terminate user sessions after a period of inactivity",
"id": "GHSA-vcpx-24gh-52mr",
"modified": "2026-06-17T18:35:43Z",
"published": "2026-06-17T18:35:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62340"
},
{
"type": "WEB",
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0131511"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VCRM-8V3J-V6F3
Vulnerability from github – Published: 2022-05-24 17:23 – Updated: 2023-08-31 03:30When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid.
This issue affects ((OTRS)) Community Edition: 6.0.28 and prior versions.
OTRS: 7.0.18 and prior versions, 8.0.4. and prior versions.
{
"affected": [],
"aliases": [
"CVE-2020-1776"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-07-20T21:15:00Z",
"severity": "MODERATE"
},
"details": "When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid.\n\nThis issue affects\n((OTRS)) Community Edition: \n6.0.28 and prior versions.\n\nOTRS:\n7.0.18 and prior versions,\n8.0.4. and prior versions.",
"id": "GHSA-vcrm-8v3j-v6f3",
"modified": "2023-08-31T03:30:36Z",
"published": "2022-05-24T17:23:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1776"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"
},
{
"type": "WEB",
"url": "https://otrs.com/release-notes/otrs-security-advisory-2020-13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VCVM-P9XP-25XG
Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-05-24 19:13An insufficient session expiration vulnerability in FortiSandbox versions 3.2.1 and below may allow an attacker to reuse the unexpired admin user session IDs to gain information about other users configured on the device, should the attacker be able to obtain that session ID (via other, hypothetical attacks)
{
"affected": [],
"aliases": [
"CVE-2020-29012"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-08T11:15:00Z",
"severity": "MODERATE"
},
"details": "An insufficient session expiration vulnerability in FortiSandbox versions 3.2.1 and below may allow an attacker to reuse the unexpired admin user session IDs to gain information about other users configured on the device, should the attacker be able to obtain that session ID (via other, hypothetical attacks)",
"id": "GHSA-vcvm-p9xp-25xg",
"modified": "2022-05-24T19:13:53Z",
"published": "2022-05-24T19:13:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29012"
},
{
"type": "WEB",
"url": "https://fortiguard.com/advisory/FG-IR-20-070"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VFFG-826V-Q23H
Vulnerability from github – Published: 2025-08-12 12:30 – Updated: 2025-08-12 12:30A vulnerability has been identified in SmartClient modules Opcenter QL Home (SC) (All versions >= V13.2 < V2506), SOA Audit (All versions >= V13.2 < V2506), SOA Cockpit (All versions >= V13.2 < V2506). The affected application does not expire the session without logout. This could allow an attacker to get unauthorized access if the session is left idle.
{
"affected": [],
"aliases": [
"CVE-2024-41985"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-12T12:15:32Z",
"severity": "LOW"
},
"details": "A vulnerability has been identified in SmartClient modules Opcenter QL Home (SC) (All versions \u003e= V13.2 \u003c V2506), SOA Audit (All versions \u003e= V13.2 \u003c V2506), SOA Cockpit (All versions \u003e= V13.2 \u003c V2506). The affected application does not expire the session without logout. This could allow an attacker to get unauthorized access if the session is left idle.",
"id": "GHSA-vffg-826v-q23h",
"modified": "2025-08-12T12:30:33Z",
"published": "2025-08-12T12:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41985"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-382999.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VFJ3-Q2VQ-3XRJ
Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2024-04-04 02:13cPanel before 82.0.15 allows API token credentials to persist after an account has been renamed or terminated (SEC-517).
{
"affected": [],
"aliases": [
"CVE-2019-17375"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-09T16:15:00Z",
"severity": "HIGH"
},
"details": "cPanel before 82.0.15 allows API token credentials to persist after an account has been renamed or terminated (SEC-517).",
"id": "GHSA-vfj3-q2vq-3xrj",
"modified": "2024-04-04T02:13:33Z",
"published": "2022-05-24T16:58:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17375"
},
{
"type": "WEB",
"url": "https://documentation.cpanel.net/display/CL/82+Change+Log"
},
{
"type": "WEB",
"url": "https://news.cpanel.com/cpanel-tsr-2019-0005-full-disclosure"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VG2X-VPGH-C7JJ
Vulnerability from github – Published: 2024-02-02 03:30 – Updated: 2024-02-02 03:30IBM PowerSC 1.3, 2.0, and 2.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 275116.
{
"affected": [],
"aliases": [
"CVE-2023-50936"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-02T01:15:08Z",
"severity": "MODERATE"
},
"details": "IBM PowerSC 1.3, 2.0, and 2.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 275116.\n\n",
"id": "GHSA-vg2x-vpgh-c7jj",
"modified": "2024-02-02T03:30:32Z",
"published": "2024-02-02T03:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50936"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/275116"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7113759"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-VGVJ-F6VF-5394
Vulnerability from github – Published: 2022-05-14 03:46 – Updated: 2022-05-14 03:46IBM Integration Bus 9.0 and 10.0 could allow an attacker that has captured a valid session id to hijack another users session during a small timeframe before the session times out. IBM X-Force ID: 134164.
{
"affected": [],
"aliases": [
"CVE-2017-1693"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-19T14:29:00Z",
"severity": "MODERATE"
},
"details": "IBM Integration Bus 9.0 and 10.0 could allow an attacker that has captured a valid session id to hijack another users session during a small timeframe before the session times out. IBM X-Force ID: 134164.",
"id": "GHSA-vgvj-f6vf-5394",
"modified": "2022-05-14T03:46:13Z",
"published": "2022-05-14T03:46:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1693"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/134164"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg22012642"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102760"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-VJPM-6M6X-4M32
Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36The Milwaukee ONE-KEY Android mobile application uses bearer tokens with an expiration of one year. This bearer token, in combination with a user_id can be used to perform user actions.
{
"affected": [],
"aliases": [
"CVE-2017-3215"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-20T00:29:00Z",
"severity": "MODERATE"
},
"details": "The Milwaukee ONE-KEY Android mobile application uses bearer tokens with an expiration of one year. This bearer token, in combination with a user_id can be used to perform user actions.",
"id": "GHSA-vjpm-6m6x-4m32",
"modified": "2022-05-13T01:36:42Z",
"published": "2022-05-13T01:36:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3215"
},
{
"type": "WEB",
"url": "https://duo.com/blog/bug-hunting-drilling-into-the-internet-of-things-iot"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.