VYPR

CWE-613

Insufficient Session Expiration

BaseIncomplete

Description

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (239)

page 9 of 12
  • CVE-2023-6787Apr 25, 2024
    risk 0.00cvss epss 0.01

    A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org.keycloak.authentication. This flaw allows hijacking an active Keycloak session by triggering a new authentication process with the query parameter "prompt=login," prompting the…

  • CVE-2024-30262Apr 9, 2024
    risk 0.00cvss epss 0.01

    Contao is an open source content management system. Prior to version 4.13.40, when a frontend member changes their password in the personal data or the password lost module, the corresponding remember-me tokens are not removed. If someone compromises an account and is able to…

  • CVE-2024-31447Apr 8, 2024
    risk 0.00cvss epss 0.01

    Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Starting in version 6.3.5.0 and prior to versions 6.6.1.0 and 6.5.8.8, when a authenticated request is made to `POST /store-api/account/logout`, the cart will be cleared, but the User won't be logged…

  • CVE-2023-50270Feb 20, 2024
    risk 0.00cvss epss 0.01

    Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change. Users are recommended to upgrade to version 3.2.1, which fixes this issue.

  • CVE-2024-21492Feb 17, 2024
    risk 0.00cvss epss 0.01

    All versions of the package github.com/greenpau/caddy-security are vulnerable to Insufficient Session Expiration due to improper user session invalidation upon clicking the "Sign Out" button. User sessions remain valid even after requests are sent to /logout and…

  • CVE-2024-25718Feb 11, 2024
    risk 0.00cvss epss 0.01

    In the Samly package before 1.4.0 for Elixir, Samly.State.Store.get_assertion/3 can return an expired session, which interferes with access control because Samly.AuthHandler uses a cached session and does not replace it, even after expiry.

  • CVE-2023-46121Nov 14, 2023
    risk 0.00cvss epss 0.00

    yt-dlp is a youtube-dl fork with additional features and fixes. The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp's HTTP session. This could lead…

  • CVE-2023-5865Oct 31, 2023
    risk 0.00cvss epss 0.01

    Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2.

  • CVE-2022-3916Sep 20, 2023
    risk 0.00cvss epss 0.01

    A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This…

  • CVE-2023-41041Aug 30, 2023
    risk 0.00cvss epss 0.00

    Graylog is a free and open log management platform. In a multi-node Graylog cluster, after a user has explicitly logged out, a user session may still be used for API requests until it has reached its original expiry time. Each node maintains an in-memory cache of user sessions.…

  • CVE-2023-40178Aug 23, 2023
    risk 0.00cvss epss 0.00

    Node-SAML is a SAML library not dependent on any frameworks that runs in Node. The lack of checking of current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past the NotOnOrAfter. This could impact the user where they would be…

  • CVE-2023-40025Aug 23, 2023
    risk 0.00cvss epss 0.00

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting from version 2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages even if the token has already expired.…

  • CVE-2023-4190Aug 6, 2023
    risk 0.00cvss epss 0.01

    Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.2.11.

  • CVE-2023-4126Aug 3, 2023
    risk 0.00cvss epss 0.00

    Insufficient Session Expiration in GitHub repository answerdev/answer prior to v1.1.0.

  • CVE-2023-38489Jul 27, 2023
    risk 0.00cvss epss 0.01

    Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). It can only be abused if a Kirby user is logged in on a…

  • CVE-2023-31065May 22, 2023
    risk 0.00cvss epss 0.01

    Insufficient Session Expiration vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0.  An old session can be used by an attacker even after the user has been deleted or the password has been changed. Users are…

  • CVE-2023-33005May 16, 2023
    risk 0.00cvss epss 0.00

    Jenkins WSO2 Oauth Plugin 1.0 and earlier does not invalidate the previous session on login.

  • CVE-2023-28472Apr 28, 2023
    risk 0.00cvss epss 0.01

    Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 does not have Secure and HTTP only attributes set for ccmPoll cookies.

  • CVE-2023-1788Apr 5, 2023
    risk 0.00cvss epss 0.00

    Insufficient Session Expiration in GitHub repository firefly-iii/firefly-iii prior to 6.

  • CVE-2023-1543Mar 21, 2023
    risk 0.00cvss epss 0.01

    Insufficient Session Expiration in GitHub repository answerdev/answer prior to 1.0.6.