Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-613 (不充分的会话过期机制) — Vulnerability Class 302

302 vulnerabilities classified as CWE-613 (不充分的会话过期机制). AI Chinese analysis included.

CWE-613 represents a critical authentication weakness where web applications fail to properly invalidate session identifiers after a user logs out or after a period of inactivity. This flaw allows attackers to exploit stale session tokens, often obtained through network sniffing, session fixation, or simply waiting for a user to abandon a shared device. By reusing these expired credentials, adversaries can bypass authentication mechanisms and gain unauthorized access to sensitive user accounts or administrative functions without needing to crack passwords. To mitigate this risk, developers must implement robust session management protocols that enforce strict expiration policies. This includes setting appropriate timeout durations for both active and idle sessions, ensuring that logout actions immediately invalidate server-side session data, and utilizing secure, HttpOnly cookies to prevent client-side script access to session identifiers.

MITRE CWE Description
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Common Consequences (1)
Access ControlBypass Protection Mechanism
Mitigations (1)
ImplementationSet sessions/credentials expiration date.
Examples (1)
The following snippet was taken from a J2EE web.xml deployment descriptor in which the session-timeout parameter is explicitly defined (the default value depends on the container). In this case the value is set to -1, which means that a session will never expire.
<web-app> [...snipped...] <session-config> <session-timeout>-1</session-timeout> </session-config> </web-app>
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2023-4126 Insufficient Session Expiration in answerdev/answer — answerdev/answer 8.3 -2023-08-03
CVE-2023-4005 Insufficient Session Expiration in fossbilling/fossbilling — fossbilling/fossbilling 8.8 -2023-07-31
CVE-2023-38489 Kirby vulnerable to Insufficient Session Expiration after a password change — kirby 7.3 High2023-07-27
CVE-2023-37919 Cal.com not expiring old sessions after enabling 2FA — cal.com 6.5 Medium2023-07-25
CVE-2023-28001 Fortinet FortiOS 代码问题漏洞 — FortiOS 4.1 Medium2023-07-11
CVE-2023-0041 IBM Security Guardium session fixation — Security Guardium 6.3 Medium2023-06-05
CVE-2023-32318 User session not correctly destroyed on logout — security-advisories 7.2 High2023-05-26
CVE-2023-31065 Apache InLong: Insufficient Session Expiration in InLong — Apache InLong 9.8 -2023-05-22
CVE-2023-31139 DHIS2 Core unrestricted session cookies with Personal Access Tokens — dhis2-core 4.3 Medium2023-05-09
CVE-2023-31140 OpenProject user sessions not terminated after activation of 2FA — openproject 4.8 Medium2023-05-08
CVE-2020-4914 IBM Cloud Pak System Software Suite session fixation — Cloud Pak System Software Suite 4.2 Medium2023-05-05
CVE-2022-38707 IBM Cognos Command Center information disclosure — Cognos Command Center 4.0 Medium2023-05-05
CVE-2023-28003 Schneider Electric EcoStruxure Power Monitoring Expert 代码问题漏洞 — EcoStruxure Power Monitoring Expert 6.7 Medium2023-04-18
CVE-2023-1854 SourceCodester Online Graduate Tracer System session expiration — Online Graduate Tracer System 4.7 Medium2023-04-05
CVE-2023-1788 Insufficient Session Expiration in firefly-iii/firefly-iii — firefly-iii/firefly-iii 9.8 -2023-04-05
CVE-2021-3844 Rapid7 InsightVM Insufficient Session Expiration — InsightVM 5.7 Medium2023-03-24
CVE-2023-1543 Insufficient Session Expiration in answerdev/answer — answerdev/answer 9.8 -2023-03-21
CVE-2023-22591 IBM Robotic Process Automation session fixation — Robotic Process Automation 3.9 Low2023-03-15
CVE-2023-23929 Refresh tokens do not expire in Vantage6 — vantage6 8.8 High2023-03-03
CVE-2022-48317 Insecure Termination of RestAPI Session Tokens — Checkmk 5.6 Medium2023-02-20
CVE-2023-25562 Failure to Invalidate Session on Logout in DataHub — datahub 6.9 Medium2023-02-10
CVE-2022-34392 Dell SupportAssist for Home PCs 代码问题漏洞 — SupportAssist 5.5 Medium2023-02-10
CVE-2023-23614 Improper session handling of "Remember me for 7 days" functionality — AdminLTE 8.8 High2023-01-26
CVE-2023-22732 Insufficient Session Expiration in Administration in shopware — platform 3.7 Low2023-01-17
CVE-2023-0227 Insufficient Session Expiration in pyload/pyload — pyload/pyload 9.8 -2023-01-12
CVE-2023-22492 RefreshToken invalidation vulnerability — zitadel 5.9 Medium2023-01-11
CVE-2022-46177 Discourse password reset link can lead to in account takeover if user changes to a new email — discourse 5.7 Medium2023-01-05
CVE-2022-43844 IBM Robotic Process Automation for Cloud Pak session fixation — Robotic Process Automation for Cloud Pak 8.1 -2023-01-05
CVE-2022-22371 IBM Sterling B2B Integrator Standard Edition session fixation — Sterling B2B Integrator Standard Edition 5.5 Medium2023-01-04
CVE-2022-23502 TYPO3 contains Insufficient Session Expiration after Password Reset — typo3 5.4 Medium2022-12-14

Vulnerabilities classified as CWE-613 (不充分的会话过期机制) represent 302 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.