VYPR

CWE-613

Insufficient Session Expiration

BaseIncomplete

Description

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (239)

page 2 of 12
  • CVE-2021-47663HigApr 24, 2025
    risk 0.53cvss 8.1epss 0.00

    Due to improper JSON Web Tokens implementation an unauthenticated remote attacker can guess a valid session ID and therefore impersonate a user to gain full access.

  • CVE-2025-42602HigApr 23, 2025
    risk 0.53cvss epss 0.00

    This vulnerability exists in Meon KYC solutions due to improper handling of access and refresh tokens in certain API endpoints of authentication process. A remote attacker could exploit this vulnerability by intercepting and manipulating the responses through API request body…

  • CVE-2025-24973CriFeb 11, 2025
    risk 0.53cvss 9.3epss 0.00

    Concorde, formerly know as Nexkey, is a fork of the federated microblogging platform Misskey. Prior to version 12.25Q1.1, due to an improper implementation of the logout process, authentication credentials remain in cookies even after a user has explicitly logged out, which may…

  • CVE-2017-11667HigJul 26, 2017
    risk 0.53cvss 8.1epss 0.01

    OpenProject before 6.1.6 and 7.x before 7.0.3 mishandles session expiry, which allows remote attackers to perform APIv3 requests indefinitely by leveraging a hijacked session.

  • CVE-2016-8712HigApr 13, 2017
    risk 0.53cvss 8.1epss 0.01

    An exploitable nonce reuse vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless AP running firmware 1.1. The device uses one nonce for all session authentication requests and only changes the nonce if the web application has been idle for 300…

  • CVE-2026-53776CriJun 16, 2026
    risk 0.52cvss 9.1epss 0.00

    Perry before 0.5.1166 contains a JWT validation vulnerability that allows remote attackers to bypass token expiration by exploiting the unconditional setting of validate_exp = false in the verify_decode helper within the stdlib JWT verification path. Attackers in possession of a…

  • CVE-2025-57735CriApr 9, 2026
    risk 0.52cvss 9.1epss 0.01

    When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about…

  • CVE-2025-2185HigApr 25, 2025
    risk 0.52cvss 8.0epss 0.00

    ALBEDO Telecom Net.Time - PTP/NTP clock (Serial No. NBC0081P) software release 1.4.4 is vulnerable to an insufficient session expiration vulnerability, which could permit an attacker to transmit passwords over unencrypted connections, resulting in the product becoming…

  • CVE-2021-35473CriNov 10, 2024
    risk 0.52cvss 9.1epss 0.00

    An issue was discovered in LemonLDAP::NG before 2.0.12. There is a missing expiration check in the OAuth2.0 handler, i.e., it does not verify access token validity. An attacker can use a expired access token from an OIDC client to access the OAuth2 handler The earliest affected…

  • CVE-2018-10990HigMay 14, 2018
    risk 0.52cvss 8.0epss 0.01

    On Arris Touchstone Telephony Gateway TG1682G 9.1.103J6 devices, a logout action does not immediately destroy all state on the device related to the validity of the "credential" cookie, which might make it easier for attackers to obtain access at a later time (e.g., "at least…

  • CVE-2025-15552HigMar 16, 2026
    risk 0.51cvss 7.8epss 0.00

    Insufficient Session Expiration in Truesec’s LAPSWebUI before version 2.4 allows an attacker with access to a workstation to escalate their privileges via disclosure of local admin password.

  • CVE-2026-53843HigJun 16, 2026
    risk 0.50cvss 8.8epss 0.00

    OpenClaw before 2026.5.26 contains an authorization bypass vulnerability where a surviving pairing-scoped device session can re-establish node token authority after revocation. Attackers with a paired device can regain WebSocket node-level access without renewed approval,…

  • CVE-2026-46656HigJun 8, 2026
    risk 0.50cvss 8.8epss 0.00

    Bludit is a content management system. Versions prior to 3.22.0 have a Broken Access Control flaw where active sessions remain valid even after the corresponding user account has been physically deleted from the database. This "Ghost Session" allows revoked users to maintain…

  • CVE-2026-41133HigApr 22, 2026
    risk 0.50cvss 8.8epss 0.00

    pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache `role` and `permission` in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's…

  • CVE-2026-26060HigMar 27, 2026
    risk 0.50cvss 8.8epss 0.00

    Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be…

  • CVE-2025-64386HigOct 31, 2025
    risk 0.50cvss epss 0.00

    The equipment grants a JWT token for each connection in the timeline, but during an active valid session, a hijacking of the token can be done. This will allow an attacker with the token modify parameters of security, access or even steal the session without the legitimate and…

  • CVE-2025-1968HigApr 9, 2025
    risk 0.50cvss 7.7epss 0.00

    Insufficient Session Expiration vulnerability in Progress Software Corporation Sitefinity under some specific and uncommon circumstances allows reusing Session IDs (Session Replay Attacks).This issue affects Sitefinity: from 14.0 through 14.3, from 14.4 before 14.4.8145, from…

  • CVE-2021-47740HigDec 31, 2025
    risk 0.49cvss 7.5epss 0.00

    KZTech JT3500V 4G LTE CPE 2.0.1 contains a session management vulnerability that allows attackers to reuse old session credentials without proper expiration. Attackers can exploit the weak session handling to maintain unauthorized access and potentially compromise device…

  • CVE-2017-12159HigOct 26, 2017
    risk 0.49cvss 7.5epss 0.02

    It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.

  • CVE-2017-12191HigFeb 28, 2018
    risk 0.48cvss 7.4epss 0.01

    A flaw was found in the CloudForms account configuration when using VMware. By default, a shared account is used that has privileged access to VMRC (VMWare Remote Console) functions that may not be appropriate for users of CloudForms (and thus this account). An attacker could…