VYPR

CWE-613

Insufficient Session Expiration

BaseIncomplete

Description

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (239)

page 11 of 12
  • CVE-2021-3461Apr 1, 2022
    risk 0.00cvss epss 0.00

    A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name].

  • CVE-2022-1155Mar 30, 2022
    risk 0.00cvss epss 0.01

    Old sessions are not blocked by the login enable function. in GitHub repository snipe/snipe-it prior to 5.3.10.

  • CVE-2022-0991Mar 19, 2022
    risk 0.00cvss epss 0.01

    Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.1.9.

  • CVE-2022-24743Mar 14, 2022
    risk 0.00cvss epss 0.01

    Sylius is an open source eCommerce platform. Prior to versions 1.10.11 and 1.11.2, the reset password token was not set to null after the password was changed. The same token could be used several times, which could result in leak of the existing token and unauthorized password…

  • CVE-2022-24744Mar 9, 2022
    risk 0.00cvss epss 0.00

    Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions user sessions are not logged out if the password is reset via password recovery. This issue has been resolved in version 6.4.8.1. For older versions of…

  • CVE-2022-24732Mar 9, 2022
    risk 0.00cvss epss 0.00

    Maddy Mail Server is an open source SMTP compatible email server. Versions of maddy prior to 0.5.4 do not implement password expiry or account expiry checking when authenticating using PAM. Users are advised to upgrade. Users unable to upgrade should manually remove expired…

  • CVE-2022-21652Jan 5, 2022
    risk 0.00cvss epss 0.01

    Shopware is an open source e-commerce software platform. In affected versions shopware would not invalidate a user session in the event of a password change. With version 5.7.7 the session validation was adjusted, so that sessions created prior to the latest password change of a…

  • CVE-2021-25979Nov 8, 2021
    risk 0.00cvss epss 0.01

    Apostrophe CMS versions prior to 3.3.1 did not invalidate existing login sessions when disabling a user account or changing the password, creating a situation in which a device compromised by a third party could not be locked out by those means. As a mitigation for older…

  • CVE-2021-41247Nov 4, 2021
    risk 0.00cvss epss 0.01

    JupyterHub is an open source multi-user server for Jupyter notebooks. In affected versions users who have multiple JupyterLab tabs open in the same browser session, may see incomplete logout from the single-user server, as fresh credentials (for the single-user server only, not…

  • CVE-2021-25970Oct 20, 2021
    risk 0.00cvss epss 0.01

    Camaleon CMS 0.1.7 to 2.6.0 doesn’t terminate the active session of the users, even after the admin changes the user’s password. A user that was already logged in, will still have access to the application even after the password was changed.

  • CVE-2021-33322Aug 3, 2021
    risk 0.00cvss epss 0.01

    In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password reset tokens are not invalidated after a user changes their password, which allows remote attackers to change the user’s password via the…

  • CVE-2021-32710Jun 24, 2021
    risk 0.00cvss epss 0.01

    Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below 6.3.5.2. We recommend to update to the current version 6.3.5.2. You can get the update to 6.3.5.2 regularly via the Auto-Updater or directly via the download overview.…

  • CVE-2021-34428Jun 22, 2021
    risk 0.00cvss epss 0.01

    For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can…

  • CVE-2021-32923Jun 3, 2021
    risk 0.00cvss epss 0.01

    HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5,…

  • CVE-2021-31408Apr 23, 2021
    risk 0.00cvss epss 0.00

    Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access…

  • CVE-2009-20001Mar 7, 2021
    risk 0.00cvss epss 0.01

    An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login…

  • CVE-2021-3144Feb 27, 2021
    risk 0.00cvss epss 0.05

    In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)

  • CVE-2021-21032Feb 11, 2021
    risk 0.00cvss epss 0.02

    Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation of this issue could lead to unauthorized access to restricted resources. Access to the admin console is not required for…

  • CVE-2021-21031Feb 11, 2021
    risk 0.00cvss epss 0.02

    Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful…

  • CVE-2021-3311Feb 5, 2021
    risk 0.00cvss epss 0.03

    An issue was discovered in October through build 471. It reactivates an old session ID (which had been invalid after a logout) once a new login occurs. NOTE: this violates the intended Auth/Manager.php authentication behavior but, admittedly, is only relevant if an old session…