VYPR

CWE-613

Insufficient Session Expiration

BaseIncomplete

Description

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (239)

page 6 of 12
  • CVE-2025-4643MedAug 29, 2025
    risk 0.34cvss epss 0.00

    Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (which is by default set to 2 hours, but can be changed). This issue has been…

  • CVE-2024-50562MedJun 10, 2025
    risk 0.34cvss 4.8epss 0.01

    An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL-VPN version 7.6.0, version 7.4.6 and below, version 7.2.10 and below, 7.0 all versions, 6.4 all versions may allow an attacker in possession of a cookie used to log in the SSL-VPN portal to log in again,…

  • CVE-2026-45005MedMay 11, 2026
    risk 0.32cvss 6.0epss 0.00

    OpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to remain valid after rotation and reload. Attackers with previously valid webhook route secrets can continue authenticating requests and invoking configured…

  • CVE-2017-12867MedAug 29, 2017
    risk 0.31cvss 5.9epss 0.01

    The SimpleSAML_Auth_TimeLimitedToken class in SimpleSAMLphp 1.14.14 and earlier allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset.

  • CVE-2025-48061MedMay 22, 2025
    risk 0.29cvss 5.6epss 0.00

    wire-webapp is the web application for the open-source messaging service Wire. A change caused a regression resulting in sessions not being properly invalidated. A user that logged out of the Wire webapp, could have been automatically logged in again after re-opening the…

  • CVE-2026-42421MedApr 28, 2026
    risk 0.28cvss 5.4epss 0.00

    OpenClaw before 2026.4.8 contains a session management vulnerability where existing WebSocket sessions survive shared gateway token rotation. Attackers can maintain unauthorized access to WebSocket connections after token rotation by exploiting the failure to disconnect existing…

  • CVE-2026-41916MedApr 28, 2026
    risk 0.28cvss 5.4epss 0.00

    OpenClaw before 2026.4.8 contains an authentication state management vulnerability where the resolvedAuth closure becomes stale after configuration reload. Newly accepted gateway connections continue using outdated resolved auth state, allowing attackers to bypass authentication…

  • CVE-2026-41356MedApr 23, 2026
    risk 0.28cvss 5.4epss 0.00

    OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation.

  • CVE-2026-0971MedApr 21, 2026
    risk 0.28cvss 4.3epss 0.00

    An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configured Web Users being redirected to the regular login page instead of the SAML login page.

  • CVE-2026-35462MedApr 7, 2026
    risk 0.28cvss 4.3epss 0.00

    Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, API keys with an expiresAt date are never validated against the current time during authentication. Any API key — regardless of its expiration date — is accepted indefinitely, allowing a…

  • CVE-2026-34362MedMar 27, 2026
    risk 0.28cvss 5.4epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `verifyTokenSocket()` function in `plugin/YPTSocket/functions.php` has its token timeout validation commented out, causing WebSocket tokens to never expire despite being generated with a…

  • CVE-2025-12110MedOct 23, 2025
    risk 0.28cvss 5.4epss 0.00

    A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes…

  • CVE-2025-11429MedOct 23, 2025
    risk 0.28cvss 5.4epss 0.00

    A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the…

  • CVE-2025-4528MedMay 11, 2025
    risk 0.28cvss 4.3epss 0.00

    A weakness has been identified in Dígitro NGC Explorer up to 3.44.15/3.48.21. This affects an unknown function. Executing a manipulation can lead to session expiration. The attack can be launched remotely. Upgrading to version 3.48.22 mitigates this issue. It is recommended to…

  • CVE-2026-46401MedJun 5, 2026
    risk 0.27cvss epss 0.00

    HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions prior to 26.0.0 suffer from an improper session termination vulnerability where authentication tokens remain valid after user logout. This allows attackers who obtain valid tokens to maintain…

  • CVE-2026-41891MedMay 7, 2026
    risk 0.27cvss epss 0.00

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0 to before version 0.31.8.0, the auth filter has the deactivated/banned user check commented out. This issue has been…

  • CVE-2026-1163MedApr 8, 2026
    risk 0.27cvss 4.1epss 0.00

    An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of…

  • CVE-2016-0234MedAug 30, 2018
    risk 0.26cvss 4.0epss 0.00

    IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 could allow a local user to obtain sensitive information when a previous user has logged out of the system but neglected to close their browser. IBM X-Force ID: 110303.

  • CVE-2025-46344MedApr 29, 2025
    risk 0.25cvss epss 0.00

    The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions starting from 4.0.1 and prior to 4.5.1, do not invoke `.setExpirationTime` when generating a JWE token for the session. As a result, the JWE does not contain an internal…

  • CVE-2024-29402MedApr 16, 2024
    risk 0.21cvss 4.3epss 0.00

    cskefu v7 suffers from Insufficient Session Expiration, which allows attackers to exploit the old session for malicious activity.