Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-613 (不充分的会话过期机制) — Vulnerability Class 302

302 vulnerabilities classified as CWE-613 (不充分的会话过期机制). AI Chinese analysis included.

CWE-613 represents a critical authentication weakness where web applications fail to properly invalidate session identifiers after a user logs out or after a period of inactivity. This flaw allows attackers to exploit stale session tokens, often obtained through network sniffing, session fixation, or simply waiting for a user to abandon a shared device. By reusing these expired credentials, adversaries can bypass authentication mechanisms and gain unauthorized access to sensitive user accounts or administrative functions without needing to crack passwords. To mitigate this risk, developers must implement robust session management protocols that enforce strict expiration policies. This includes setting appropriate timeout durations for both active and idle sessions, ensuring that logout actions immediately invalidate server-side session data, and utilizing secure, HttpOnly cookies to prevent client-side script access to session identifiers.

MITRE CWE Description
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Common Consequences (1)
Access ControlBypass Protection Mechanism
Mitigations (1)
ImplementationSet sessions/credentials expiration date.
Examples (1)
The following snippet was taken from a J2EE web.xml deployment descriptor in which the session-timeout parameter is explicitly defined (the default value depends on the container). In this case the value is set to -1, which means that a session will never expire.
<web-app> [...snipped...] <session-config> <session-timeout>-1</session-timeout> </session-config> </web-app>
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2025-54592 FreshRSS has Incomplete Session Termination on Logout — FreshRSS 7.1AIHighAI2025-09-29
CVE-2025-43819 Liferay Portal和Liferay DXP 代码问题漏洞 — Portal 8.2AIHighAI2025-09-24
CVE-2025-59335 CubeCart Session Not Invalidated After Password Change — v6 7.1 High2025-09-22
CVE-2025-35433 CISA Thorium does not properly invalidate previously used tokens — Thorium 5.0 Medium2025-09-17
CVE-2025-10223 Improper Session Cleanup on Role Removal in Web Admin Panel in AxxonSoft Axxon One (C-Werk) — AxxonOne C-Werk 5.4 Medium2025-09-10
CVE-2025-57766 Fides's Admin UI User Password Change Does Not Invalidate Current Session — fides 9.8AICriticalAI2025-09-08
CVE-2025-58437 Coder's privilege escalation vulnerability could lead to a cross workspace compromise — coder 8.1 High2025-09-06
CVE-2025-58352 Weblate has long session expiry times during second factor verification — weblate--AI2025-09-04
CVE-2025-55162 Envoy: oAuth2 Filter Signout route will not clear cookies because of missing "secure;" flag — envoy 6.3 Medium2025-09-03
CVE-2025-4643 Lack of JWT Expiration after Log Out in PayloadCMS — Payload 9.1 -2025-08-29
CVE-2024-41985 Siemens多款产品 代码问题漏洞 — SmartClient modules Opcenter QL Home (SC) 2.6 Low2025-08-12
CVE-2025-36040 IBM Aspera Faspex session fixation — Aspera Faspex 6.5 Medium2025-07-30
CVE-2025-31952 HCL iAutomate is affected by an insufficient session expiration — iAutomate 7.1 High2025-07-24
CVE-2024-27779 Fortinet FortiSandbox和Fortinet FortiIsolator 代码问题漏洞 — FortiSandbox 6.3 Medium2025-07-18
CVE-2025-53642 haxcms-nodejs and haxcms-php Improperly Terminate Sessions — issues 4.8 Medium2025-07-11
CVE-2025-4407 Application does not invalidate session after password reset — Lite Panel Pro 6.7 Medium2025-06-30
CVE-2025-49152 Insufficient Session Expiration in MICROSENS NMP Web+ — NMP Web+ 9.8AICriticalAI2025-06-25
CVE-2025-4754 Missing Session Revocation on Logout in ash_authentication_phoenix — ash_authentication_phoenix 9.8AICriticalAI2025-06-17
CVE-2024-50562 Fortinet FortiOS SSL-VPN 代码问题漏洞 — FortiOS 4.4 Medium2025-06-10
CVE-2025-25019 IBM QRadar Suite Software and IBM Cloud Pak for Security session fixation — QRadar Suite Software 4.8 Medium2025-06-03
CVE-2025-33005 IBM Planning Analytics Local session fixation — Planning Analytics Local 6.3 Medium2025-06-01
CVE-2025-48061 wire-webapp Has Insufficient Session Invalidation after User Logout — wire-webapp 5.6 Medium2025-05-22
CVE-2025-0138 Prisma Cloud Compute Edition: Insufficient Session Expiration Vulnerability in the Web Interface — Prisma Cloud Compute Edition 9.4AICriticalAI2025-05-14
CVE-2025-40566 Siemens SIMATIC PCS neo 代码问题漏洞 — SIMATIC PCS neo V4.1 8.8 High2025-05-13
CVE-2025-46741 Improper Privilege Management — SEL Blueframe OS 5.7 Medium2025-05-12
CVE-2025-4528 Dígitro NGC Explorer session expiration — NGC Explorer 4.3 Medium2025-05-11
CVE-2025-46815 ZITADEL Allows IdP Intent Token Reuse — zitadel 8.0 High2025-05-06
CVE-2025-46344 Auth0 NextJS SDK v4 Missing Session Invalidation — nextjs-auth0 9.1AICriticalAI2025-04-29
CVE-2025-2185 ALBEDO Telecom Net.Time - PTP/NTP Clock Insufficient Session Expiration — Net.Time - PTP/NTP clock (Serial No. NBC0081P) 8.0 High2025-04-24
CVE-2021-47663 Improper session handling — Franka Emika Robot 8.1 High2025-04-24

Vulnerabilities classified as CWE-613 (不充分的会话过期机制) represent 302 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.