Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-613 (不充分的会话过期机制) — Vulnerability Class 302

302 vulnerabilities classified as CWE-613 (不充分的会话过期机制). AI Chinese analysis included.

CWE-613 represents a critical authentication weakness where web applications fail to properly invalidate session identifiers after a user logs out or after a period of inactivity. This flaw allows attackers to exploit stale session tokens, often obtained through network sniffing, session fixation, or simply waiting for a user to abandon a shared device. By reusing these expired credentials, adversaries can bypass authentication mechanisms and gain unauthorized access to sensitive user accounts or administrative functions without needing to crack passwords. To mitigate this risk, developers must implement robust session management protocols that enforce strict expiration policies. This includes setting appropriate timeout durations for both active and idle sessions, ensuring that logout actions immediately invalidate server-side session data, and utilizing secure, HttpOnly cookies to prevent client-side script access to session identifiers.

MITRE CWE Description
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Common Consequences (1)
Access ControlBypass Protection Mechanism
Mitigations (1)
ImplementationSet sessions/credentials expiration date.
Examples (1)
The following snippet was taken from a J2EE web.xml deployment descriptor in which the session-timeout parameter is explicitly defined (the default value depends on the container). In this case the value is set to -1, which means that a session will never expire.
<web-app> [...snipped...] <session-config> <session-timeout>-1</session-timeout> </session-config> </web-app>
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2024-22351 IBM InfoSphere Information Server session fixation — InfoSphere Information Server 6.3 Medium2025-04-23
CVE-2025-42602 Improper Authentication Vulnerability in Meon KYC solutions — KYC solutions 9.1 -2025-04-23
CVE-2024-45651 IBM Sterling Connect:Direct Web Services session fixation — Sterling Connect:Direct Web Services 6.3 Medium2025-04-18
CVE-2024-49825 IBM Robotic Process Automation session fixation — Robotic Process Automation 6.3 Medium2025-04-14
CVE-2025-24859 Apache Roller: Insufficient Session Expiration on Password Change — Apache Roller 8.8AIHighAI2025-04-14
CVE-2025-30516 Unauthorized Notification Exposure in Mobile App Under Specific Conditions — Mattermost 2.0 Low2025-04-14
CVE-2025-1968 Progress Sitefinity 代码问题漏洞 — Sitefinity 7.7 High2025-04-09
CVE-2024-25051 IBM Jazz Reporting Service insufficient session expiration — Jazz Reporting Service 6.6 Medium2025-04-02
CVE-2025-2596 Session logout can be overwritten by long lasting request — Checkmk 7.1AIHighAI2025-03-26
CVE-2025-1198 Insufficient Session Expiration in GitLab — GitLab 4.2 Medium2025-02-13
CVE-2025-24973 Concorde not removing authentication tokens after logging out — concorde 9.4 Critical2025-02-11
CVE-2025-24896 Misskey allows token to remain valid in cookie after signing out — misskey 8.1 High2025-02-11
CVE-2024-45386 Siemens SIMATIC PCS和Siemens TIA Administrator 代码问题漏洞 — SIMATIC PCS neo V4.0 8.8 High2025-02-11
CVE-2024-13280 Persistent Login - Moderately critical - Access bypass - SA-CONTRIB-2024-044 — Persistent Login 9.1 -2025-01-09
CVE-2024-45033 Apache Airflow Fab Provider: Application does not invalidate session after password change via Airflow cli — Apache Airflow Fab Provider 8.8 -2025-01-08
CVE-2024-11627 Progress Sitefinity 安全漏洞 — Sitefinity 6.8 Medium2025-01-07
CVE-2025-22386 Optimizely Configured Commerce 安全漏洞 — n/a 5.3 -2025-01-04
CVE-2024-56413 Acronis Cyber Protect 代码问题漏洞 — Acronis Cyber Protect 16 9.1 -2025-01-02
CVE-2024-56351 JetBrains TeamCity 代码问题漏洞 — TeamCity 6.3 Medium2024-12-20
CVE-2024-55603 Insufficient session invalidation in Kanboard — kanboard 6.5 Medium2024-12-18
CVE-2024-12667 InvoicePlane view session expiration — InvoicePlane 3.7 Low2024-12-16
CVE-2024-11668 Insufficient Session Expiration in GitLab — GitLab 4.2 Medium2024-11-26
CVE-2024-35160 IBM Watson Query on Cloud Pak for Data and IBM Db2 Big SQL on Cloud Pak for Data information disclosure — Watson Query for Cloud Pak for Data 4.3 Medium2024-11-23
CVE-2024-11208 Apereo CAS login session expiration — CAS 3.7 Low2024-11-14
CVE-2024-46892 Siemens SINEC INS 代码问题漏洞 — SINEC INS 4.9 Medium2024-11-12
CVE-2024-52311 data.all does not invalidate authentication token upon user logout — data.all 6.3 Medium2024-11-09
CVE-2024-48926 Umbraco CMS logout page displayed before session expiration — Umbraco-CMS 4.2 Medium2024-10-22
CVE-2024-45462 Apache CloudStack: Incomplete session invalidation on web interface logout — Apache CloudStack 6.3 Medium2024-10-16
CVE-2024-43685 Session token fixation in TimeProvider 4100 — TimeProvider 4100 8.8 -2024-10-04
CVE-2024-23586 An insufficient session timeout vulnerability affects HCL Nomad server on Domino — Nomad server on Domino 5.3 Medium2024-09-27

Vulnerabilities classified as CWE-613 (不充分的会话过期机制) represent 302 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.