VYPR

CWE-613

Insufficient Session Expiration

BaseIncomplete

Description

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (239)

page 4 of 12
  • CVE-2017-3966MedApr 4, 2018
    risk 0.42cvss 6.4epss 0.01

    Exploitation of session variables, resource IDs and other trusted credentials vulnerability in the web interface in McAfee Network Security Management (NSM) before 8.2.7.42.2 allows remote attackers to exploit or harm a user's browser via reusing the exposed session token in the…

  • CVE-2017-1000136MedNov 3, 2017
    risk 0.42cvss 6.5epss 0.01

    Mahara 1.8 before 1.8.6 and 1.9 before 1.9.4 and 1.10 before 1.10.1 and 15.04 before 15.04.0 are vulnerable to old sessions not being invalidated after a password change.

  • CVE-2017-1000135MedNov 3, 2017
    risk 0.42cvss 6.5epss 0.01

    Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable as logged-in users can stay logged in after the institution they belong to is suspended.

  • CVE-2017-1000131MedNov 3, 2017
    risk 0.42cvss 6.5epss 0.01

    Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before 16.04.2 are vulnerable to users staying logged in to their Mahara account even when they have been logged out of Moodle (when using MNet) as Mahara did not properly implement one of the MNet SSO API functions.

  • CVE-2026-44511HigMay 14, 2026
    risk 0.41cvss 7.4epss 0.00

    Katalyst Koi is a framework for building Rails admin functionality. Prior to 4.20.0 and 5.6.0, admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after…

  • CVE-2025-66483MedApr 1, 2026
    risk 0.41cvss 6.3epss 0.00

    IBM Aspera Shares 1.9.9 through 1.11.0 does not invalidate session after a password reset which could allow an authenticated user to impersonate another user on the system.

  • CVE-2025-3930MedOct 16, 2025
    risk 0.41cvss epss 0.01

    Strapi uses JSON Web Tokens (JWT) for authentication. After logout or account deactivation, the JWT is not invalidated, which allows an attacker who has stolen or intercepted the token to freely reuse it until its expiration date (which is set to 30 days by default, but can be…

  • CVE-2024-35220HigMay 21, 2024
    risk 0.41cvss 7.4epss 0.00

    @fastify/session is a session plugin for fastify. Requires the @fastify/cookie plugin. When restoring the cookie from the session store, the `expires` field is overriden if the `maxAge` field was set. This means a cookie is never correctly detected as expired and thus expired…

  • CVE-2024-31999HigApr 10, 2024
    risk 0.41cvss 7.4epss 0.01

    @festify/secure-session creates a secure stateless cookie session for Fastify. At the end of the request handling, it will encrypt all data in the session with a secret key and attach the ciphertext as a cookie value with the defined cookie name. After that, the session on the…

  • CVE-2018-5438MedMar 20, 2018
    risk 0.41cvss 6.3epss 0.00

    Philips ISCV application prior to version 2.3.0 has an insufficient session expiration vulnerability where an attacker could reuse the session of a previously logged in user. This vulnerability exists when using ISCV together with an Electronic Medical Record (EMR) system, where…

  • CVE-2026-1842MedFeb 20, 2026
    risk 0.40cvss epss 0.00

    HyperCloud versions 2.3.5 through 2.6.8 improperly allowed refresh tokens to be used directly for resource access and failed to invalidate previously issued access tokens when a refresh token was used. Because refresh tokens have a significantly longer lifetime (default one…

  • CVE-2024-56413MedJan 2, 2025
    risk 0.40cvss 6.1epss 0.00

    Missing session invalidation after user deletion. The following products are affected: Acronis Cyber Protect 16 (Windows) before build 39169.

  • CVE-2026-46657HigJun 8, 2026
    risk 0.39cvss 7.1epss 0.00

    Bludit is a content management system. Versions prior to 3.22.0 have a vulnerability in the user management logic that allows deactivated accounts to maintain access via persistent authentication tokens. When an administrator disables a user account, the application fails to…

  • CVE-2025-12624MedApr 16, 2026
    risk 0.39cvss 6.0epss 0.00

    Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts. …

  • CVE-2026-34828HigApr 2, 2026
    risk 0.39cvss 7.1epss 0.00

    listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, a session management vulnerability allows previously issued authenticated sessions to remain valid after sensitive account security changes, specifically…

  • CVE-2026-54321higJun 16, 2026
    risk 0.38cvss epss 0.00

    ### Summary Sandbox previews that were switched from public to private could remain reachable without authentication for a short period after the change, due to a cached visibility state that was not invalidated when the sandbox's visibility changed. ### Impact When a sandbox…

  • CVE-2026-5376MedApr 7, 2026
    risk 0.38cvss 5.9epss 0.00

    An issue that could prevent session inactivity timeouts from triggering due to automatic page reloading has been resolved. This is an instance of CWE-613: Insufficient Control of Resources After Expiration or Release, and has an estimated CVSS score of…

  • CVE-2018-11386MedJun 13, 2018
    risk 0.38cvss 5.9epss 0.02

    An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler class allows storing sessions on a PDO connection. Under some configurations and…

  • CVE-2026-1815MedMay 21, 2026
    risk 0.37cvss 5.7epss 0.00

    Insufficient session expiration vulnerability in Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application allows Session Hijacking. This issue affects Mobile Application: from 1.6.2 before 1.13.

  • CVE-2026-43911MedMay 11, 2026
    risk 0.37cvss 6.8epss 0.00

    Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when the user's security_stamp is rotated by some security-sensitive operations (password change, KDF change, key rotation, email change, org admin password reset,…