CWE-613
Insufficient Session Expiration
Description
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (239)
page 1 of 12| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-6545 | Cri | 0.64 | 9.8 | 0.03 | Jul 13, 2018 | Session cookies are not used for maintaining valid sessions in iTrack Easy. The user's password is passed as a POST parameter over HTTPS using a base64 encoded passwd field on every request. In this implementation, sessions can only be terminated when the user changes the… | ||
| CVE-2016-5069 | Cri | 0.64 | 9.8 | 0.01 | Apr 10, 2017 | Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 use guessable session tokens, which are in the URL. | ||
| CVE-2026-8670 | Cri | 0.62 | 9.6 | 0.00 | May 22, 2026 | Insufficient session expiration vulnerability in syslink software AG Avantra on Linux, Windows allows Reusing Session IDs (aka Session Replay). This issue affects Avantra: before 25.3.1. | ||
| CVE-2017-6529 | Hig | 0.60 | 8.8 | 0.03 | Mar 9, 2017 | An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is vulnerable to session hijacking by guessing the UID parameter. | ||
| CVE-2026-41902 | Cri | 0.59 | 9.1 | 0.00 | May 7, 2026 | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/{hash} endpoint accepts a 60-character random invite_hash to set a new user's password. The endpoint performs no expiration check — the hash remains… | ||
| CVE-2024-27455 | Cri | 0.59 | 9.1 | 0.01 | Feb 26, 2024 | In the Bentley ALIM Web application, certain configuration settings can cause exposure of a user's ALIM session token when the user attempts to download files. This is fixed in Assetwise ALIM Web 23.00.04.04 and Assetwise Information Integrity Server 23.00.02.03. | ||
| CVE-2026-34572 | Hig | 0.57 | 8.8 | 0.01 | Apr 1, 2026 | CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deactivated. Due to a… | ||
| CVE-2026-34570 | Hig | 0.57 | 8.8 | 0.01 | Apr 1, 2026 | CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deleted. Due to a logic… | ||
| CVE-2026-21622 | Cri | 0.57 | 9.8 | 0.00 | Mar 5, 2026 | Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm ('Elixir.Hexpm.Accounts.PasswordReset' module) allows Account Takeover. Password reset tokens generated via the "Reset your password" flow do not expire. When a user requests a password reset, Hex sends an email… | ||
| CVE-2025-49152 | — | Hig | 0.57 | — | 0.00 | Jun 25, 2025 | The affected products contain JSON Web Tokens (JWT) that do not expire, which could allow an attacker to gain access to the system. | |
| CVE-2024-45386 | Hig | 0.57 | 8.8 | 0.01 | Feb 11, 2025 | A vulnerability has been identified in SIMATIC PCS neo V4.0 (All versions), SIMATIC PCS neo V4.1 (All versions < V4.1 Update 2), SIMATIC PCS neo V5.0 (All versions < V5.0 Update 1), SIMOCODE ES V19 (All versions < V19 Update 1), SIRIUS Safety ES V19 (TIA Portal) (All versions <… | ||
| CVE-2023-22650 | Hig | 0.57 | 8.8 | 0.01 | Oct 16, 2024 | A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider (AP). This characteristic also applies to disabled or revoked users, Rancher will not reflect these modifications which… | ||
| CVE-2024-5995 | Hig | 0.57 | 8.8 | 0.00 | Jun 14, 2024 | The notification emails sent by Soar Cloud HR Portal contain a link with a embedded session. The expiration of the session is not properly configured, remaining valid for more than 7 days and can be reused. | ||
| CVE-2018-0152 | Hig | 0.57 | 8.8 | 0.03 | Mar 28, 2018 | A vulnerability in the web-based user interface (web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to gain elevated privileges on an affected device. The vulnerability exists because the affected software does not reset the privilege level for each… | ||
| CVE-2018-1195 | Hig | 0.57 | 8.8 | 0.01 | Mar 19, 2018 | In Cloud Controller versions prior to 1.46.0, cf-deployment versions prior to 1.3.0, and cf-release versions prior to 283, Cloud Controller accepts refresh tokens for authentication where access tokens are expected. This exposes a vulnerability where a refresh token that would… | ||
| CVE-2017-15653 | Hig | 0.57 | 8.8 | 0.02 | Jan 31, 2018 | Improper administrator IP validation after his login in the HTTPd server in all current versions (<= 3.0.0.4.380.7743) of Asus asuswrt allows an unauthorized user to execute any action knowing administrator session token by using a specific User-Agent string. | ||
| CVE-2015-5171 | Cri | 0.57 | 9.8 | 0.01 | Oct 24, 2017 | The password change functionality in Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire existing sessions. | ||
| CVE-2025-66223 | Hig | 0.55 | — | 0.00 | Nov 29, 2025 | OpenObserve is a cloud-native observability platform. Prior to version 0.16.0, organization invitation tokens do not expire once issued, remain valid even after the invited user is removed from the organization, and allow multiple invitations to the same email with different… | ||
| CVE-2026-44553 | Hig | 0.53 | 8.1 | 0.00 | May 15, 2026 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, administrative role changes and user deletions do not iterate SESSION_POOL to disconnect affected sessions. As a result, a user whose admin role has been revoked… | ||
| CVE-2025-55278 | Hig | 0.53 | 8.1 | 0.00 | Nov 5, 2025 | Improper authentication in the API authentication middleware of HCL DevOps Loop allows authentication tokens to be accepted without proper validation of their expiration and cryptographic signature. As a result, an attacker could potentially use expired or tampered tokens to… |
- risk 0.64cvss 9.8epss 0.03
Session cookies are not used for maintaining valid sessions in iTrack Easy. The user's password is passed as a POST parameter over HTTPS using a base64 encoded passwd field on every request. In this implementation, sessions can only be terminated when the user changes the…
- risk 0.64cvss 9.8epss 0.01
Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 use guessable session tokens, which are in the URL.
- risk 0.62cvss 9.6epss 0.00
Insufficient session expiration vulnerability in syslink software AG Avantra on Linux, Windows allows Reusing Session IDs (aka Session Replay). This issue affects Avantra: before 25.3.1.
- risk 0.60cvss 8.8epss 0.03
An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is vulnerable to session hijacking by guessing the UID parameter.
- risk 0.59cvss 9.1epss 0.00
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/{hash} endpoint accepts a 60-character random invite_hash to set a new user's password. The endpoint performs no expiration check — the hash remains…
- risk 0.59cvss 9.1epss 0.01
In the Bentley ALIM Web application, certain configuration settings can cause exposure of a user's ALIM session token when the user attempts to download files. This is fixed in Assetwise ALIM Web 23.00.04.04 and Assetwise Information Integrity Server 23.00.02.03.
- risk 0.57cvss 8.8epss 0.01
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deactivated. Due to a…
- risk 0.57cvss 8.8epss 0.01
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deleted. Due to a logic…
- risk 0.57cvss 9.8epss 0.00
Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm ('Elixir.Hexpm.Accounts.PasswordReset' module) allows Account Takeover. Password reset tokens generated via the "Reset your password" flow do not expire. When a user requests a password reset, Hex sends an email…
- risk 0.57cvss —epss 0.00
The affected products contain JSON Web Tokens (JWT) that do not expire, which could allow an attacker to gain access to the system.
- risk 0.57cvss 8.8epss 0.01
A vulnerability has been identified in SIMATIC PCS neo V4.0 (All versions), SIMATIC PCS neo V4.1 (All versions < V4.1 Update 2), SIMATIC PCS neo V5.0 (All versions < V5.0 Update 1), SIMOCODE ES V19 (All versions < V19 Update 1), SIRIUS Safety ES V19 (TIA Portal) (All versions <…
- risk 0.57cvss 8.8epss 0.01
A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider (AP). This characteristic also applies to disabled or revoked users, Rancher will not reflect these modifications which…
- risk 0.57cvss 8.8epss 0.00
The notification emails sent by Soar Cloud HR Portal contain a link with a embedded session. The expiration of the session is not properly configured, remaining valid for more than 7 days and can be reused.
- risk 0.57cvss 8.8epss 0.03
A vulnerability in the web-based user interface (web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to gain elevated privileges on an affected device. The vulnerability exists because the affected software does not reset the privilege level for each…
- risk 0.57cvss 8.8epss 0.01
In Cloud Controller versions prior to 1.46.0, cf-deployment versions prior to 1.3.0, and cf-release versions prior to 283, Cloud Controller accepts refresh tokens for authentication where access tokens are expected. This exposes a vulnerability where a refresh token that would…
- risk 0.57cvss 8.8epss 0.02
Improper administrator IP validation after his login in the HTTPd server in all current versions (<= 3.0.0.4.380.7743) of Asus asuswrt allows an unauthorized user to execute any action knowing administrator session token by using a specific User-Agent string.
- risk 0.57cvss 9.8epss 0.01
The password change functionality in Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire existing sessions.
- risk 0.55cvss —epss 0.00
OpenObserve is a cloud-native observability platform. Prior to version 0.16.0, organization invitation tokens do not expire once issued, remain valid even after the invited user is removed from the organization, and allow multiple invitations to the same email with different…
- risk 0.53cvss 8.1epss 0.00
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, administrative role changes and user deletions do not iterate SESSION_POOL to disconnect affected sessions. As a result, a user whose admin role has been revoked…
- risk 0.53cvss 8.1epss 0.00
Improper authentication in the API authentication middleware of HCL DevOps Loop allows authentication tokens to be accepted without proper validation of their expiration and cryptographic signature. As a result, an attacker could potentially use expired or tampered tokens to…