Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-613 (不充分的会话过期机制) — Vulnerability Class 302

302 vulnerabilities classified as CWE-613 (不充分的会话过期机制). AI Chinese analysis included.

CWE-613 represents a critical authentication weakness where web applications fail to properly invalidate session identifiers after a user logs out or after a period of inactivity. This flaw allows attackers to exploit stale session tokens, often obtained through network sniffing, session fixation, or simply waiting for a user to abandon a shared device. By reusing these expired credentials, adversaries can bypass authentication mechanisms and gain unauthorized access to sensitive user accounts or administrative functions without needing to crack passwords. To mitigate this risk, developers must implement robust session management protocols that enforce strict expiration policies. This includes setting appropriate timeout durations for both active and idle sessions, ensuring that logout actions immediately invalidate server-side session data, and utilizing secure, HttpOnly cookies to prevent client-side script access to session identifiers.

MITRE CWE Description
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Common Consequences (1)
Access ControlBypass Protection Mechanism
Mitigations (1)
ImplementationSet sessions/credentials expiration date.
Examples (1)
The following snippet was taken from a J2EE web.xml deployment descriptor in which the session-timeout parameter is explicitly defined (the default value depends on the container). In this case the value is set to -1, which means that a session will never expire.
<web-app> [...snipped...] <session-config> <session-timeout>-1</session-timeout> </session-config> </web-app>
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-33417 Wallos: Password Reset Tokens Never Expire — Wallos 6.5 Medium2026-03-24
CVE-2026-32663 IGL-Technologies eParking.fi Insufficient Session Expiration — eParking.fi 7.3 High2026-03-20
CVE-2026-27649 CTEK Chargeportal Insufficient Session Expiration — Chargeportal 7.3 High2026-03-20
CVE-2025-15553 Insecure Logout Functionality in Truesec LAPSWebUI — LAPSWebUI 7.8AIHighAI2026-03-16
CVE-2025-15552 Long Session Lifetime in Truesec LAPSWebUI — LAPSWebUI 7.8AIHighAI2026-03-16
CVE-2026-32132 ZITADEL: Reactivation of Expired Passkey Registration Codes — zitadel 7.4 High2026-03-11
CVE-2026-20748 Everon api.everon.io Insufficient Session Expiration — api.everon.io 7.3 High2026-03-06
CVE-2026-27764 Mobiliti e-mobi.hu Insufficient Session Expiration — e-mobi.hu 7.3 High2026-03-06
CVE-2026-24912 ePower epower.ie Insufficient Session Expiration — epower.ie 7.3 High2026-03-05
CVE-2026-21622 Password Reset Tokens Do Not Expire — hexpm 8.1 -2026-03-05
CVE-2025-59786 Cookies are not Invalidated upon Logout and Password Change — 2N Access Commander 6.5AIMediumAI2026-03-04
CVE-2026-28396 NocoDB: Refresh Tokens Not Revoked on Password Reset — nocodb 7.1AIHighAI2026-03-02
CVE-2026-3401 SourceCodester Web-based Pharmacy Product Management System session expiration — Web-based Pharmacy Product Management System 3.1 Low2026-03-02
CVE-2026-27647 Mobility46 mobility46.se Insufficient Session Expiration — mobility46.se 7.3 High2026-02-27
CVE-2026-26290 EV Energy ev.energy Insufficient Session Expiration — ev.energy 7.3 High2026-02-27
CVE-2026-25778 SWITCH EV swtchenergy.com Insufficient Session Expiration — swtchenergy.com 7.3 High2026-02-27
CVE-2026-20895 EV2GO ev2go.io Insufficient Session Expiration — ev2go.io 7.3 High2026-02-26
CVE-2026-27652 CloudCharge cloudcharge.se Insufficient Session Expiration — cloudcharge.se 7.3 High2026-02-26
CVE-2026-25711 Chargemap chargemap.com Insufficient Session Expiration — chargemap.com 7.3 High2026-02-26
CVE-2026-28275 Initiative Vulnerable to Improper Session Invalidation (JWT Remains Valid) — initiative 8.1 High2026-02-26
CVE-2026-27933 Manyfold vulnerable to session hijack via cookie leakage in proxy caches — manyfold 6.8 Medium2026-02-25
CVE-2026-25476 OpenEMR has Session Timeout Bypass via skip_timeout_reset — openemr 7.5 High2026-02-25
CVE-2026-26342 Tattile Smart+ / Vega / Basic <= 1.181.5 Insufficient Session Token Expiration — Smart+ 9.8AICriticalAI2026-02-24
CVE-2026-1842 HyperCloud Improper Refresh Token Validation and Access Token Invalidation Allows Long-Term Unauthorized Access — HyperCloud 8.8AIHighAI2026-02-20
CVE-2026-1435 Incorrect management of session invalidation vulnerability in Graylog Web Interface — Graylog Web Interface 9.1 -2026-02-18
CVE-2025-36376 IBM Security QRadar EDR Software has multiple vulnerabilities — Security QRadar EDR 6.3 Medium2026-02-17
CVE-2025-36377 IBM Security QRadar EDR Software has multiple vulnerabilities — Security QRadar EDR 6.3 Medium2026-02-17
CVE-2025-27898 Multiple vulnerabilities in IBM Java SDK affecting Db2 Recovery Expert for Linux, Unix and Windows — DB2 Recovery Expert for LUW 6.3 Medium2026-02-17
CVE-2024-43181 Multiple Vulnerabilities in IBM Concert Software — Concert 6.3 Medium2026-02-04
CVE-2026-24669 Open eClass Insecure Password Reset Token Reuse Enables Account Takeover — openeclass 7.8 High2026-02-03

Vulnerabilities classified as CWE-613 (不充分的会话过期机制) represent 302 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.