VYPR

CWE-613

Insufficient Session Expiration

BaseIncomplete

Description

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (239)

page 3 of 12
  • CVE-2017-6145HigOct 20, 2017
    risk 0.48cvss 7.3epss 0.01

    iControl REST in F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, PEM, and WebSafe 12.0.0 through 12.1.2 and 13.0.0 includes a service to convert authorization BIGIPAuthCookie cookies to X-F5-Auth-Token tokens. This service does not properly re-validate…

  • CVE-2026-32663HigMar 20, 2026
    risk 0.47cvss 7.3epss 0.00

    The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the…

  • CVE-2026-27649HigMar 20, 2026
    risk 0.47cvss 7.3epss 0.00

    The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where…

  • CVE-2026-27764HigMar 6, 2026
    risk 0.47cvss 7.3epss 0.00

    The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the…

  • CVE-2026-20748HigMar 6, 2026
    risk 0.47cvss 7.3epss 0.00

    The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the…

  • CVE-2026-24912HigMar 6, 2026
    risk 0.47cvss 7.3epss 0.00

    The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the…

  • CVE-2026-43983HigMay 12, 2026
    risk 0.46cvss 8.1epss 0.00

    Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.6.0, The createTokenFromRefreshToken function (oidc_service.go) validates the refresh token's cryptographic integrity but does not re-validate the user's current…

  • CVE-2026-34503HigMar 31, 2026
    risk 0.46cvss 8.1epss 0.00

    OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection.

  • CVE-2025-15553HigMar 16, 2026
    risk 0.46cvss 7.1epss 0.00

    Non-working logout functionality in Truesec’s LAPSWebUI before version 2.4 allows an attacker with access to a workstation to escalate their privileges via disclosure of local admin password.

  • CVE-2026-49229higJun 22, 2026
    risk 0.45cvss epss

    ### Summary In OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity. Existing Actual session tokens for the disabled user remain valid, so the user can continue calling authenticated server endpoints after an administrator has disabled the…

  • CVE-2025-61775MedOct 13, 2025
    risk 0.45cvss epss 0.00

    Vickey is a Misskey-based microblogging platform. A vulnerability exists in Vickey prior to version 2025.10.0 where unexpired email confirmation links can be reused multiple times to send repeated confirmation emails to a verified email address. Under certain conditions, a…

  • CVE-2026-9802MedMay 28, 2026
    risk 0.44cvss 6.8epss 0.00

    A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even…

  • CVE-2025-4407MedJun 30, 2025
    risk 0.44cvss 6.7epss 0.00

    Insufficient Session Expiration vulnerability in ABB Lite Panel Pro.This issue affects Lite Panel Pro: through 1.0.1.

  • CVE-2024-31556HigMay 14, 2024
    risk 0.44cvss 7.8epss 0.00

    An issue in Reportico Web before v.8.1.0 allows a local attacker to execute arbitrary code and obtain sensitive information via the sessionid function.

  • CVE-2018-2451MedAug 14, 2018
    risk 0.43cvss 6.6epss 0.01

    XS Command-Line Interface (CLI) user sessions with the SAP HANA Extended Application Services (XS), version 1, advanced server may have an unintentional prolonged period of validity. Consequently, a platform user could access controller resources via active CLI session even…

  • CVE-2026-44648HigMay 29, 2026
    risk 0.42cvss 7.5epss 0.00

    SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern relies on cookie-session for authentication, storing all session…

  • CVE-2025-4677MedJan 7, 2026
    risk 0.42cvss 6.5epss 0.00

    Insufficient Session Expiration vulnerability in ABB WebPro SNMP Card PowerValue, ABB WebPro SNMP Card PowerValue UL.This issue affects WebPro SNMP Card PowerValue: through 1.1.8.K; WebPro SNMP Card PowerValue UL: through 1.1.8.K.

  • CVE-2024-46040MedOct 7, 2024
    risk 0.42cvss 6.5epss 0.00

    IoT Haat Smart Plug IH-IN-16A-S IH-IN-16A-S v5.16.1 suffers from Insufficient Session Expiration. The lack of validation of the authentication token at the IoT Haat during the Access Point Pairing mode leads the attacker to replay the Wi-Fi packets and forcefully turn off the…

  • CVE-2018-14345HigJul 17, 2018
    risk 0.42cvss 7.5epss 0.01

    An issue was discovered in SDDM through 0.17.0. If configured with ReuseSession=true, the password is not checked for users with an already existing session. Any user with access to the system D-Bus can therefore unlock any graphical session. This is related to…

  • CVE-2018-7758MedApr 18, 2018
    risk 0.42cvss 6.5epss 0.01

    A denial of service vulnerability exists in Schneider Electric's MiCOM Px4x (P540 range excluded) with legacy Ethernet board, MiCOM P540D Range with Legacy Ethernet Board, and MiCOM Px4x Rejuvenated could lose network communication in case of TCP/IP open requests on port 20000…