302 vulnerabilities classified as CWE-613 (不充分的会话过期机制). AI Chinese analysis included.
CWE-613 represents a critical authentication weakness where web applications fail to properly invalidate session identifiers after a user logs out or after a period of inactivity. This flaw allows attackers to exploit stale session tokens, often obtained through network sniffing, session fixation, or simply waiting for a user to abandon a shared device. By reusing these expired credentials, adversaries can bypass authentication mechanisms and gain unauthorized access to sensitive user accounts or administrative functions without needing to crack passwords. To mitigate this risk, developers must implement robust session management protocols that enforce strict expiration policies. This includes setting appropriate timeout durations for both active and idle sessions, ensuring that logout actions immediately invalidate server-side session data, and utilizing secure, HttpOnly cookies to prevent client-side script access to session identifiers.
<web-app> [...snipped...] <session-config> <session-timeout>-1</session-timeout> </session-config> </web-app>| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2017-14007 | ProMinent MultiFLEX M10a Controller Web界面安全漏洞 — ProMinent MultiFLEX M10a Controller | 8.2 | - | 2017-10-17 |
| CVE-2017-3215 | Milwaukee ONE-KEY Android mobile应用程序安全漏洞 — ONE-KEY | 7.4 | - | 2017-06-20 |
Vulnerabilities classified as CWE-613 (不充分的会话过期机制) represent 302 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.