Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-613 (不充分的会话过期机制) — Vulnerability Class 302

302 vulnerabilities classified as CWE-613 (不充分的会话过期机制). AI Chinese analysis included.

CWE-613 represents a critical authentication weakness where web applications fail to properly invalidate session identifiers after a user logs out or after a period of inactivity. This flaw allows attackers to exploit stale session tokens, often obtained through network sniffing, session fixation, or simply waiting for a user to abandon a shared device. By reusing these expired credentials, adversaries can bypass authentication mechanisms and gain unauthorized access to sensitive user accounts or administrative functions without needing to crack passwords. To mitigate this risk, developers must implement robust session management protocols that enforce strict expiration policies. This includes setting appropriate timeout durations for both active and idle sessions, ensuring that logout actions immediately invalidate server-side session data, and utilizing secure, HttpOnly cookies to prevent client-side script access to session identifiers.

MITRE CWE Description
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Common Consequences (1)
Access ControlBypass Protection Mechanism
Mitigations (1)
ImplementationSet sessions/credentials expiration date.
Examples (1)
The following snippet was taken from a J2EE web.xml deployment descriptor in which the session-timeout parameter is explicitly defined (the default value depends on the container). In this case the value is set to -1, which means that a session will never expire.
<web-app> [...snipped...] <session-config> <session-timeout>-1</session-timeout> </session-config> </web-app>
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2024-25628 Insufficient Session Expiration in alf.io — alf.io 7.6 High2024-02-16
CVE-2024-25619 Destroying OAuth Applications doesn't notify Streaming of Access Tokens being destroyed in mastodon — mastodon 3.1 Low2024-02-14
CVE-2024-0008 PAN-OS: Insufficient Session Expiration Vulnerability in the Web Interface — PAN-OS 6.6 Medium2024-02-14
CVE-2024-22389 BIG-IP iControl REST API Vulnerability — BIG-IP 7.2 High2024-02-14
CVE-2023-45187 IBM Engineering Lifecycle Optimization - Publishing session fixation — Engineering Lifecycle Optimization - Publishing 6.3 Medium2024-02-09
CVE-2023-50936 IBM PowerSC session fixation — PowerSC 6.3 Medium2024-02-02
CVE-2024-0944 Totolink T8 cstecgi.cgi session expiration — T8 3.7 Low2024-01-26
CVE-2024-0943 Totolink N350RT cstecgi.cgi session expiration — N350RT 3.7 Low2024-01-26
CVE-2024-0942 Totolink N200RE V5 cstecgi.cgi session expiration — N200RE V5 3.7 Low2024-01-26
CVE-2024-22403 OAuth2 authorization codes are valid indefinetly in Nextcloud server — security-advisories 3.0 Low2024-01-18
CVE-2024-0350 SourceCodester Engineers Online Portal session expiration — Engineers Online Portal 3.1 Low2024-01-09
CVE-2024-0260 SourceCodester Engineers Online Portal Password Change change_password_teacher.php session expiration — Engineers Online Portal 4.3 Medium2024-01-07
CVE-2023-4320 Satellite: arithmetic overflow in satellite — Red Hat Satellite 6.15 for RHEL 8 7.6 High2023-12-18
CVE-2023-49091 Jwttoken in Cosmos server never expires after password changed and logging out — Cosmos-Server 8.8 High2023-11-29
CVE-2023-47628 Session Expiration Misconfiguration in datahub — datahub 4.2 Medium2023-11-14
CVE-2023-5889 Insufficient Session Expiration in pkp/pkp-lib — pkp/pkp-lib 9.4 -2023-11-01
CVE-2023-5865 Insufficient Session Expiration in thorsten/phpmyfaq — thorsten/phpmyfaq 9.4 -2023-10-31
CVE-2023-5838 Insufficient Session Expiration in linkstackorg/linkstack — linkstackorg/linkstack 9.4 -2023-10-29
CVE-2023-46158 IBM WebSphere Application Server session fixation — WebSphere Application Server Liberty 4.9 Medium2023-10-25
CVE-2021-20581 IBM Security Verify Privilege information disclosure — Security Verify Privilege 5.3 Medium2023-10-17
CVE-2023-45659 Session is not expiring after password reset in Engelsystem — engelsystem 3.6 Low2023-10-16
CVE-2023-33303 Fortinet FortiEDR 代码问题漏洞 — FortiEDR 7.7 High2023-10-13
CVE-2023-42768 BIG-IP iControl REST vulnerability — BIG-IP 7.2 High2023-10-10
CVE-2023-40537 Multi-blade VIPRION Configuration utility session cookie vulnerability — BIG-IP 8.1 High2023-10-10
CVE-2023-40732 Siemens QMS Automotive 代码问题漏洞 — QMS Automotive 3.9 Low2023-09-12
CVE-2023-41041 User session is still usable after logout in graylog2-server — graylog2-server 2.6 Low2023-08-30
CVE-2023-40025 Argo CD web terminal session doesn't expire — argo-cd 4.7 Medium2023-08-23
CVE-2023-40174 Insufficient Session Expiration in fobybus/social-media-skeleton — social-media-skeleton 6.8 Medium2023-08-18
CVE-2023-37570 Insufficient Session Expiration Vulnerability in Emagic Data Center Management Suite — Emagic Data Center Management Suite 7.2 High2023-08-08
CVE-2023-4190 Insufficient Session Expiration in admidio/admidio — admidio/admidio 8.3 -2023-08-06

Vulnerabilities classified as CWE-613 (不充分的会话过期机制) represent 302 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.