Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-613 (不充分的会话过期机制) — Vulnerability Class 302

302 vulnerabilities classified as CWE-613 (不充分的会话过期机制). AI Chinese analysis included.

CWE-613 represents a critical authentication weakness where web applications fail to properly invalidate session identifiers after a user logs out or after a period of inactivity. This flaw allows attackers to exploit stale session tokens, often obtained through network sniffing, session fixation, or simply waiting for a user to abandon a shared device. By reusing these expired credentials, adversaries can bypass authentication mechanisms and gain unauthorized access to sensitive user accounts or administrative functions without needing to crack passwords. To mitigate this risk, developers must implement robust session management protocols that enforce strict expiration policies. This includes setting appropriate timeout durations for both active and idle sessions, ensuring that logout actions immediately invalidate server-side session data, and utilizing secure, HttpOnly cookies to prevent client-side script access to session identifiers.

MITRE CWE Description
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Common Consequences (1)
Access ControlBypass Protection Mechanism
Mitigations (1)
ImplementationSet sessions/credentials expiration date.
Examples (1)
The following snippet was taken from a J2EE web.xml deployment descriptor in which the session-timeout parameter is explicitly defined (the default value depends on the container). In this case the value is set to -1, which means that a session will never expire.
<web-app> [...snipped...] <session-config> <session-timeout>-1</session-timeout> </session-config> </web-app>
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-24667 Open eClass's Active Sessions Not Invalidated After Password Change Allow Persistent Account Access — openeclass 5.0 Medium2026-02-03
CVE-2025-55705 EVMAPA Insufficient Session Expiration — EVMAPA 7.3 High2026-01-22
CVE-2025-36065 Multiple vulnerabilities were addressed in IBM Sterling Connect:Express for UNIX. — Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 6.3 Medium2026-01-20
CVE-2025-36063 Multiple vulnerabilities were addressed in IBM Sterling Connect:Express for UNIX. — Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 6.3 Medium2026-01-20
CVE-2025-52661 HCL AION 安全漏洞 — AION 2.4 Low2026-01-19
CVE-2025-4677 Idle session timeout is not configured for multiple open ports — WebPro SNMP Card PowerValue 6.5 Medium2026-01-07
CVE-2025-31962 HCL BigFix IVR is impacted by an insufficient session expiration vulnerability — BigFix IVR 2.0 Low2026-01-07
CVE-2025-68954 Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced — panel 6.5 -2026-01-06
CVE-2021-47740 KZTech JT3500V 4G LTE CPE 2.0.1 Insufficient Session Expiration Vulnerability — JT3500V 7.5 High2025-12-31
CVE-2022-50692 SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Insufficient Session Expiration Vulnerability — Impact/Pulse/First 7.5 High2025-12-30
CVE-2025-62329 HCL DevOps Deploy / HCL Launch is susceptible to an insufficient session expiration vulnerability — DevOps Deploy / Launch 5.0 Medium2025-12-16
CVE-2025-36360 IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptible to an Insufficient Session Expiration vulnerability — UCD - IBM UrbanCode Deploy 5.0 Medium2025-12-15
CVE-2025-62631 Fortinet FortiOS 代码问题漏洞 — FortiOS 5.3 Medium2025-12-09
CVE-2025-66289 OrangeHRM is Vulnerable to Persistent Session Access Due to Missing Invalidation After User Disable and Password Change — orangehrm 8.8 -2025-11-29
CVE-2025-66223 OpenObserve's Invite Token Lifecycle Misconfiguration — openobserve 9.8 -2025-11-29
CVE-2025-53896 Kiteworks MFT is vulnerable to Insufficient Session Expiration — security-advisories 7.1 High2025-11-29
CVE-2025-64708 authentik invitation expiry is delayed by at least 5 minutes — authentik 5.8 Medium2025-11-19
CVE-2025-55278 HCL DevOps Loop is susceptible to an improper authentication vulnerability — DevOps Loop 8.1 High2025-11-05
CVE-2025-64386 HIJACKING OF THE TOKEN AND GAINING ACCESS — TCPRS1plus 9.8 -2025-10-31
CVE-2024-13996 Nagios XI < 2024R1.1.3 Session Not Invalidated After Password Change — XI 9.8AICriticalAI2025-10-30
CVE-2025-54547 On affected platforms, if SSH session multiplexing was configured on the client side, SSH sessions (e.g, scp, sftp) multiplexed onto the same channel could perform file-system operations after a configured session timeout expired — DANZ Monitoring Fabric 5.3 Medium2025-10-29
CVE-2025-62781 PILOS is missing session regeneration after password change — PILOS 5.0 Medium2025-10-27
CVE-2025-12110 Keycloak: org.keycloak:keycloak-services: user can refresh offline session even after client's offline_access scope was removed — keycloak 5.4 Medium2025-10-23
CVE-2025-11429 Keycloak-server: too long and not settings compliant session — keycloak 5.4 Medium2025-10-23
CVE-2025-3930 Lack of JWT Expiration after Log Out in Strapi — Strapi 9.1AICriticalAI2025-10-16
CVE-2024-33507 Fortinet FortiIsolator 代码问题漏洞 — FortiIsolator 7.0 High2025-10-14
CVE-2025-25252 Fortinet FortiOS SSL-VPN 代码问题漏洞 — FortiOS 4.3 Medium2025-10-14
CVE-2025-62174 Mastodon allows continued access after password reset via CLI — mastodon 3.5 Low2025-10-13
CVE-2025-61775 Vickey's unexpired email confirmation link can be reused to send repeated confirmation emails — Vickey 5.3AIMediumAI2025-10-13
CVE-2023-49881 IBM Transformation Extender Advanced session fixation — Transformation Extender Advanced 6.3 Medium2025-10-01

Vulnerabilities classified as CWE-613 (不充分的会话过期机制) represent 302 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.