CWE-613
Insufficient Session Expiration
Description
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (239)
page 11 of 12| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-3461 | 0.00 | — | 0.00 | Apr 1, 2022 | A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name]. | |||
| CVE-2022-1155 | 0.00 | — | 0.01 | Mar 30, 2022 | Old sessions are not blocked by the login enable function. in GitHub repository snipe/snipe-it prior to 5.3.10. | |||
| CVE-2022-0991 | 0.00 | — | 0.01 | Mar 19, 2022 | Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.1.9. | |||
| CVE-2022-24743 | 0.00 | — | 0.01 | Mar 14, 2022 | Sylius is an open source eCommerce platform. Prior to versions 1.10.11 and 1.11.2, the reset password token was not set to null after the password was changed. The same token could be used several times, which could result in leak of the existing token and unauthorized password… | |||
| CVE-2022-24744 | — | 0.00 | — | 0.00 | Mar 9, 2022 | Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions user sessions are not logged out if the password is reset via password recovery. This issue has been resolved in version 6.4.8.1. For older versions of… | ||
| CVE-2022-24732 | — | 0.00 | — | 0.00 | Mar 9, 2022 | Maddy Mail Server is an open source SMTP compatible email server. Versions of maddy prior to 0.5.4 do not implement password expiry or account expiry checking when authenticating using PAM. Users are advised to upgrade. Users unable to upgrade should manually remove expired… | ||
| CVE-2022-21652 | 0.00 | — | 0.01 | Jan 5, 2022 | Shopware is an open source e-commerce software platform. In affected versions shopware would not invalidate a user session in the event of a password change. With version 5.7.7 the session validation was adjusted, so that sessions created prior to the latest password change of a… | |||
| CVE-2021-25979 | 0.00 | — | 0.01 | Nov 8, 2021 | Apostrophe CMS versions prior to 3.3.1 did not invalidate existing login sessions when disabling a user account or changing the password, creating a situation in which a device compromised by a third party could not be locked out by those means. As a mitigation for older… | |||
| CVE-2021-41247 | 0.00 | — | 0.01 | Nov 4, 2021 | JupyterHub is an open source multi-user server for Jupyter notebooks. In affected versions users who have multiple JupyterLab tabs open in the same browser session, may see incomplete logout from the single-user server, as fresh credentials (for the single-user server only, not… | |||
| CVE-2021-25970 | — | 0.00 | — | 0.01 | Oct 20, 2021 | Camaleon CMS 0.1.7 to 2.6.0 doesn’t terminate the active session of the users, even after the admin changes the user’s password. A user that was already logged in, will still have access to the application even after the password was changed. | ||
| CVE-2021-33322 | — | 0.00 | — | 0.01 | Aug 3, 2021 | In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user’s password via the… | ||
| CVE-2021-32710 | — | 0.00 | — | 0.01 | Jun 24, 2021 | Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below 6.3.5.2. We recommend to update to the current version 6.3.5.2. You can get the update to 6.3.5.2 regularly via the Auto-Updater or directly via the download overview.… | ||
| CVE-2021-34428 | 0.00 | — | 0.01 | Jun 22, 2021 | For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can… | |||
| CVE-2021-32923 | — | 0.00 | — | 0.01 | Jun 3, 2021 | HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5,… | ||
| CVE-2021-31408 | 0.00 | — | 0.00 | Apr 23, 2021 | Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access… | |||
| CVE-2009-20001 | — | 0.00 | — | 0.01 | Mar 7, 2021 | An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login… | ||
| CVE-2021-3144 | — | 0.00 | — | 0.05 | Feb 27, 2021 | In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.) | ||
| CVE-2021-21032 | 0.00 | — | 0.02 | Feb 11, 2021 | Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation of this issue could lead to unauthorized access to restricted resources. Access to the admin console is not required for… | |||
| CVE-2021-21031 | 0.00 | — | 0.02 | Feb 11, 2021 | Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful… | |||
| CVE-2021-3311 | — | 0.00 | — | 0.03 | Feb 5, 2021 | An issue was discovered in October through build 471. It reactivates an old session ID (which had been invalid after a logout) once a new login occurs. NOTE: this violates the intended Auth/Manager.php authentication behavior but, admittedly, is only relevant if an old session… |
- CVE-2021-3461Apr 1, 2022risk 0.00cvss —epss 0.00
A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name].
- CVE-2022-1155Mar 30, 2022risk 0.00cvss —epss 0.01
Old sessions are not blocked by the login enable function. in GitHub repository snipe/snipe-it prior to 5.3.10.
- CVE-2022-0991Mar 19, 2022risk 0.00cvss —epss 0.01
Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.1.9.
- CVE-2022-24743Mar 14, 2022risk 0.00cvss —epss 0.01
Sylius is an open source eCommerce platform. Prior to versions 1.10.11 and 1.11.2, the reset password token was not set to null after the password was changed. The same token could be used several times, which could result in leak of the existing token and unauthorized password…
- CVE-2022-24744Mar 9, 2022risk 0.00cvss —epss 0.00
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions user sessions are not logged out if the password is reset via password recovery. This issue has been resolved in version 6.4.8.1. For older versions of…
- CVE-2022-24732Mar 9, 2022risk 0.00cvss —epss 0.00
Maddy Mail Server is an open source SMTP compatible email server. Versions of maddy prior to 0.5.4 do not implement password expiry or account expiry checking when authenticating using PAM. Users are advised to upgrade. Users unable to upgrade should manually remove expired…
- CVE-2022-21652Jan 5, 2022risk 0.00cvss —epss 0.01
Shopware is an open source e-commerce software platform. In affected versions shopware would not invalidate a user session in the event of a password change. With version 5.7.7 the session validation was adjusted, so that sessions created prior to the latest password change of a…
- CVE-2021-25979Nov 8, 2021risk 0.00cvss —epss 0.01
Apostrophe CMS versions prior to 3.3.1 did not invalidate existing login sessions when disabling a user account or changing the password, creating a situation in which a device compromised by a third party could not be locked out by those means. As a mitigation for older…
- CVE-2021-41247Nov 4, 2021risk 0.00cvss —epss 0.01
JupyterHub is an open source multi-user server for Jupyter notebooks. In affected versions users who have multiple JupyterLab tabs open in the same browser session, may see incomplete logout from the single-user server, as fresh credentials (for the single-user server only, not…
- CVE-2021-25970Oct 20, 2021risk 0.00cvss —epss 0.01
Camaleon CMS 0.1.7 to 2.6.0 doesn’t terminate the active session of the users, even after the admin changes the user’s password. A user that was already logged in, will still have access to the application even after the password was changed.
- CVE-2021-33322Aug 3, 2021risk 0.00cvss —epss 0.01
In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user’s password via the…
- CVE-2021-32710Jun 24, 2021risk 0.00cvss —epss 0.01
Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below 6.3.5.2. We recommend to update to the current version 6.3.5.2. You can get the update to 6.3.5.2 regularly via the Auto-Updater or directly via the download overview.…
- CVE-2021-34428Jun 22, 2021risk 0.00cvss —epss 0.01
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can…
- CVE-2021-32923Jun 3, 2021risk 0.00cvss —epss 0.01
HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5,…
- CVE-2021-31408Apr 23, 2021risk 0.00cvss —epss 0.00
Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access…
- CVE-2009-20001Mar 7, 2021risk 0.00cvss —epss 0.01
An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login…
- CVE-2021-3144Feb 27, 2021risk 0.00cvss —epss 0.05
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
- CVE-2021-21032Feb 11, 2021risk 0.00cvss —epss 0.02
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation of this issue could lead to unauthorized access to restricted resources. Access to the admin console is not required for…
- CVE-2021-21031Feb 11, 2021risk 0.00cvss —epss 0.02
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful…
- CVE-2021-3311Feb 5, 2021risk 0.00cvss —epss 0.03
An issue was discovered in October through build 471. It reactivates an old session ID (which had been invalid after a logout) once a new login occurs. NOTE: this violates the intended Auth/Manager.php authentication behavior but, admittedly, is only relevant if an old session…