Common Weakness Enumeration

CWE-613

Allowed-with-Review

Insufficient Session Expiration

Abstraction: Base · Status: Incomplete

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

874 vulnerabilities reference this CWE, most recent first.

GHSA-V8FQ-GQ9J-3V7H

Vulnerability from github – Published: 2022-05-17 04:31 – Updated: 2024-11-26 18:34
VLAI
Summary
OpenStack Identity (Keystone) UUID v2 tokens does not expire with revocation events
Details

The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issued_at value for UUID v2 tokens, which allows remote authenticated users to bypass the token expiration and retain access via a verification (1) GET or (2) HEAD request to v3/auth/tokens/.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "keystone"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.0.0a0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2014-5252"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-14T21:16:58Z",
    "nvd_published_at": "2014-08-25T14:55:00Z",
    "severity": "HIGH"
  },
  "details": "The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issued_at value for UUID v2 tokens, which allows remote authenticated users to bypass the token expiration and retain access via a verification (1) GET or (2) HEAD request to v3/auth/tokens/.",
  "id": "GHSA-v8fq-gq9j-3v7h",
  "modified": "2024-11-26T18:34:19Z",
  "published": "2022-05-17T04:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-5252"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openstack/keystone/commit/556fb860311675fc437585651e4602b2908451eb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openstack/keystone/commit/a4c73e4382cb062aa9f30fe1960d5014d3c49cc2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openstack/keystone/commit/bdb88c662ac2035f9b0d8a229a5db5f60f5f16ae"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/keystone/+bug/1348820"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openstack/keystone"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/keystone/PYSEC-2014-108.yaml"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-1121.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-1122.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2014/08/15/6"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-2324-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenStack Identity (Keystone) UUID v2 tokens does not expire with revocation events"
}

GHSA-VC8Q-VV59-F54C

Vulnerability from github – Published: 2022-08-20 00:00 – Updated: 2026-07-05 00:31
VLAI
Details

Mealie1.0.0beta3 does not terminate download tokens after a user logs out, allowing attackers to perform a man-in-the-middle attack via a crafted GET request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34624"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-19T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Mealie1.0.0beta3 does not terminate download tokens after a user logs out, allowing attackers to perform a man-in-the-middle attack via a crafted GET request.",
  "id": "GHSA-vc8q-vv59-f54c",
  "modified": "2026-07-05T00:31:35Z",
  "published": "2022-08-20T00:00:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34624"
    },
    {
      "type": "WEB",
      "url": "https://gainsec.com/2022/08/19/cve-2022-34615-cve-2022-34621-cve-2022-34623-cve-2022-34624"
    },
    {
      "type": "WEB",
      "url": "http://hkotel.com"
    },
    {
      "type": "WEB",
      "url": "http://mealie.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VCPX-24GH-52MR

Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35
VLAI
Details

HCL iControl was affected by Inadequate Session Timeout vulnerability. The vulnerability involves a security risk where a web application fails to automatically terminate user sessions after a period of inactivity

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-62340"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-17T13:19:15Z",
    "severity": "LOW"
  },
  "details": "HCL iControl was affected by Inadequate Session Timeout vulnerability. The vulnerability involves a security risk where a web application fails to automatically terminate user sessions after a period of inactivity",
  "id": "GHSA-vcpx-24gh-52mr",
  "modified": "2026-06-17T18:35:43Z",
  "published": "2026-06-17T18:35:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62340"
    },
    {
      "type": "WEB",
      "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0131511"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VCRM-8V3J-V6F3

Vulnerability from github – Published: 2022-05-24 17:23 – Updated: 2023-08-31 03:30
VLAI
Details

When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid.

This issue affects ((OTRS)) Community Edition: 6.0.28 and prior versions.

OTRS: 7.0.18 and prior versions, 8.0.4. and prior versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-1776"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-07-20T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid.\n\nThis issue affects\n((OTRS)) Community Edition: \n6.0.28 and prior versions.\n\nOTRS:\n7.0.18 and prior versions,\n8.0.4. and prior versions.",
  "id": "GHSA-vcrm-8v3j-v6f3",
  "modified": "2023-08-31T03:30:36Z",
  "published": "2022-05-24T17:23:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1776"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"
    },
    {
      "type": "WEB",
      "url": "https://otrs.com/release-notes/otrs-security-advisory-2020-13"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VCVM-P9XP-25XG

Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-05-24 19:13
VLAI
Details

An insufficient session expiration vulnerability in FortiSandbox versions 3.2.1 and below may allow an attacker to reuse the unexpired admin user session IDs to gain information about other users configured on the device, should the attacker be able to obtain that session ID (via other, hypothetical attacks)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-29012"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-08T11:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An insufficient session expiration vulnerability in FortiSandbox versions 3.2.1 and below may allow an attacker to reuse the unexpired admin user session IDs to gain information about other users configured on the device, should the attacker be able to obtain that session ID (via other, hypothetical attacks)",
  "id": "GHSA-vcvm-p9xp-25xg",
  "modified": "2022-05-24T19:13:53Z",
  "published": "2022-05-24T19:13:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29012"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/advisory/FG-IR-20-070"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-VFFG-826V-Q23H

Vulnerability from github – Published: 2025-08-12 12:30 – Updated: 2025-08-12 12:30
VLAI
Details

A vulnerability has been identified in SmartClient modules Opcenter QL Home (SC) (All versions >= V13.2 < V2506), SOA Audit (All versions >= V13.2 < V2506), SOA Cockpit (All versions >= V13.2 < V2506). The affected application does not expire the session without logout. This could allow an attacker to get unauthorized access if the session is left idle.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-41985"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-12T12:15:32Z",
    "severity": "LOW"
  },
  "details": "A vulnerability has been identified in SmartClient modules Opcenter QL Home (SC) (All versions \u003e= V13.2 \u003c V2506), SOA Audit (All versions \u003e= V13.2 \u003c V2506), SOA Cockpit (All versions \u003e= V13.2 \u003c V2506). The affected application does not expire the session without logout. This could allow an attacker to get unauthorized access if the session is left idle.",
  "id": "GHSA-vffg-826v-q23h",
  "modified": "2025-08-12T12:30:33Z",
  "published": "2025-08-12T12:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41985"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-382999.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VFJ3-Q2VQ-3XRJ

Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2024-04-04 02:13
VLAI
Details

cPanel before 82.0.15 allows API token credentials to persist after an account has been renamed or terminated (SEC-517).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-17375"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-09T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "cPanel before 82.0.15 allows API token credentials to persist after an account has been renamed or terminated (SEC-517).",
  "id": "GHSA-vfj3-q2vq-3xrj",
  "modified": "2024-04-04T02:13:33Z",
  "published": "2022-05-24T16:58:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17375"
    },
    {
      "type": "WEB",
      "url": "https://documentation.cpanel.net/display/CL/82+Change+Log"
    },
    {
      "type": "WEB",
      "url": "https://news.cpanel.com/cpanel-tsr-2019-0005-full-disclosure"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VG2X-VPGH-C7JJ

Vulnerability from github – Published: 2024-02-02 03:30 – Updated: 2024-02-02 03:30
VLAI
Details

IBM PowerSC 1.3, 2.0, and 2.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 275116.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-50936"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-02T01:15:08Z",
    "severity": "MODERATE"
  },
  "details": "IBM PowerSC 1.3, 2.0, and 2.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.  IBM X-Force ID:  275116.\n\n",
  "id": "GHSA-vg2x-vpgh-c7jj",
  "modified": "2024-02-02T03:30:32Z",
  "published": "2024-02-02T03:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50936"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/275116"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7113759"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VGVJ-F6VF-5394

Vulnerability from github – Published: 2022-05-14 03:46 – Updated: 2022-05-14 03:46
VLAI
Details

IBM Integration Bus 9.0 and 10.0 could allow an attacker that has captured a valid session id to hijack another users session during a small timeframe before the session times out. IBM X-Force ID: 134164.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1693"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-01-19T14:29:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Integration Bus 9.0 and 10.0 could allow an attacker that has captured a valid session id to hijack another users session during a small timeframe before the session times out. IBM X-Force ID: 134164.",
  "id": "GHSA-vgvj-f6vf-5394",
  "modified": "2022-05-14T03:46:13Z",
  "published": "2022-05-14T03:46:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1693"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/134164"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=swg22012642"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/102760"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJPM-6M6X-4M32

Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36
VLAI
Details

The Milwaukee ONE-KEY Android mobile application uses bearer tokens with an expiration of one year. This bearer token, in combination with a user_id can be used to perform user actions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-3215"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-20T00:29:00Z",
    "severity": "MODERATE"
  },
  "details": "The Milwaukee ONE-KEY Android mobile application uses bearer tokens with an expiration of one year. This bearer token, in combination with a user_id can be used to perform user actions.",
  "id": "GHSA-vjpm-6m6x-4m32",
  "modified": "2022-05-13T01:36:42Z",
  "published": "2022-05-13T01:36:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3215"
    },
    {
      "type": "WEB",
      "url": "https://duo.com/blog/bug-hunting-drilling-into-the-internet-of-things-iot"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Set sessions/credentials expiration date.

No CAPEC attack patterns related to this CWE.