VYPR

CWE-613

Insufficient Session Expiration

BaseIncomplete

Description

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (239)

page 7 of 12
  • CVE-2024-31995MedApr 10, 2024
    risk 0.21cvss 4.3epss 0.00

    `@digitalbazaar/zcap` provides JavaScript reference implementation for Authorization Capabilities. Prior to version 9.0.1, when invoking a capability with a chain depth of 2, i.e., it is delegated directly from the root capability, the `expires` property is not properly checked…

  • CVE-2026-41519MedMay 7, 2026
    risk 0.20cvss 4.2epss 0.00

    Weblate is a web based localization tool. Prior to version 5.17.1, when a user changes their password, browser sessions are correctly invalidated via "cycle_session_keys()", but DRF API tokens ("wlu_*" prefix) stored in "authtoken_token" are not revoked. This issue has been…

  • CVE-2026-3401LowMar 2, 2026
    risk 0.20cvss 3.1epss 0.00

    A weakness has been identified in SourceCodester Web-based Pharmacy Product Management System 1.0. This affects an unknown part. This manipulation causes session expiration. Remote exploitation of the attack is possible. The complexity of an attack is rather high. It is…

  • CVE-2026-1190LowJan 26, 2026
    risk 0.20cvss 3.1epss 0.00

    A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the…

  • CVE-2025-46336MedMay 8, 2025
    risk 0.20cvss 4.2epss 0.00

    Rack::Session is a session management implementation for Rack. In versions starting from 2.0.0 to before 2.1.1, when using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the…

  • CVE-2026-52809medJun 23, 2026
    risk 0.19cvss epss 0.00

    ## Summary Password-reset tokens are generated using `conf.Auth.ActivateCodeLives` (the account-activation lifetime), not `conf.Auth.ResetPasswordCodeLives`. The token lifetime is baked into the token itself at generation time and is re-extracted from the token at verification…

  • CVE-2026-1272LowApr 23, 2026
    risk 0.18cvss 2.7epss 0.00

    IBM Guardium Data Protection 12.0, 12.1, and 12.2 is vulnerable to Security Misconfiguration vulnerability in the user access control panel.

  • CVE-2026-34454LowApr 14, 2026
    risk 0.16cvss 3.5epss 0.00

    OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout…

  • CVE-2025-52661LowJan 19, 2026
    risk 0.16cvss 2.4epss 0.00

    HCL AION version 2 is affected by a JWT Token Expiry Too Long vulnerability. This may increase the risk of token misuse, potentially resulting in unauthorized access if the token is compromised.

  • CVE-2025-0138LowMay 14, 2025
    risk 0.13cvss epss 0.00

    Web sessions in the web interface of Palo Alto Networks Prisma® Cloud Compute Edition do not expire when users are deleted, which makes Prisma Cloud Compute Edition susceptible to unauthorized access. Compute in Prisma Cloud Enterprise Edition is not affected by this issue.

  • CVE-2025-4754LowJun 17, 2025
    risk 0.08cvss epss 0.00

    Insufficient Session Expiration vulnerability in ash-project ash_authentication_phoenix allows Session Hijacking. This vulnerability is associated with program files lib/ash_authentication_phoenix/controller.ex. This issue affects ash_authentication_phoenix until 2.10.0.

  • CVE-2026-55423Jun 19, 2026
    risk 0.00cvss epss 0.00

    ### Summary The logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in. ### Details Not in auto login mode. Hosted on localhost. `access_token_lf` remains present in both Local Storage and Cookies. `refresh_token_lf`…

  • CVE-2026-54779Jun 19, 2026
    risk 0.00cvss epss

    ### Impact When enabling DetectReplayedTokens, a token can be replayed and will be detected despite it being reused. ### Patches Fixed in CoreWCF v1.8.1 and v1.9.1 ### Workarounds Provide your own implementation of `ITokenReplayCache` with the correct behavior.

  • CVE-2026-55617Jun 18, 2026
    risk 0.00cvss epss

    ### Impact Hydro contains an insufficient session expiration vulnerability in its session recreation logic. When a session is recreated, including during logout or other session renewal flows, Hydro creates a new session token but does not delete the previous server-side…

  • CVE-2026-53928Jun 17, 2026
    risk 0.00cvss epss 0.00

    ### Summary A stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset their password. ### Details `passwordChange` and `passwordReset` deleted the user's refresh tokens, but `passwordForgot` only rotated…

  • CVE-2026-53926Jun 5, 2026
    risk 0.00cvss epss 0.00

    ### Summary OAuth access and refresh tokens were not revoked when the user changed, reset, or recovered their password, leaving an attacker-issued OAuth grant valid after the user believed they had locked the attacker out. ### Details `revokeAllOAuthTokensByUser` in the users…

  • CVE-2026-46554lowMay 21, 2026
    risk 0.00cvss epss 0.00

    ### Summary Deleted API tokens continued to authenticate requests until their cache entry expired, because the auth cache was not invalidated by token value at deletion time. ### Details The API token deletion path removed the database row but did not evict the token-value…

  • CVE-2026-30224Mar 6, 2026
    risk 0.00cvss epss 0.00

    OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry…

  • CVE-2026-28396Mar 2, 2026
    risk 0.00cvss epss 0.00

    NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password.…

  • CVE-2026-27575Feb 25, 2026
    risk 0.00cvss epss 0.00

    Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords (e.g., 1234, password) without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes…