NETGEAR JNR1010 devices before 1.0.0.32 have Incorrect Access Control because the ok value of the auth cookie is a special case.
In the Samly package before 1.4.0 for Elixir, Samly.State.Store.get_assertion/3 can return an expired session, which interferes with access control because Samly.AuthHandler uses a cached session and does not replace it, even after expiry.
Insufficient Session Expiration in GitHub repository cockpit-hq/cockpit prior to 2.2.0.
IBM Curam Social Program Management 8.0.0 and 8.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.
Insufficient Session Expiration in GitHub repository ikus060/rdiffweb prior to 2.5.0.
A CWE-614 Insufficient Session Expiration vulnerability exists that could allow an attacker to maintain an unauthorized access over a hijacked session to the charger station web server even after the legitimate user account holder has changed his password. Affected Products: EVlink City EVC1S22P4 / EVC1S7P4 (All versions prior to R8 V3.4.0.2 ), EVlink Parking EVW2 / EVF2 / EVP2PE (All versions prior to R8 V3.4.0.2), and EVlink Smart Wallbox EVB1A (All versions prior to R8 V3.4.0.2)
In Factor (App Framework & Headless CMS) v1.0.4 to v1.8.30, improperly invalidate a user’s session even after the user logs out of the application. In addition, user sessions are stored in the browser’s local storage, which by default does not have an expiration time. This makes it possible for an attacker to steal and reuse the cookies using techniques such as XSS attacks, followed by a local account takeover.
Nagios XI versions prior to 2024R1.1.3 did not invalidate all other active sessions for a user when that user's password was changed. As a result, any pre-existing sessions (including those potentially controlled by an attacker) remained valid after a credential update. This insufficient session expiration could allow continued unauthorized access to user data and actions even after a password change.
Insufficient Session Expiration vulnerability in Drupal Persistent Login allows Forceful Browsing.This issue affects Persistent Login: from 0.0.0 before 1.8.0, from 2.0.* before 2.2.2.
In Ifme, versions 1.0.0 to v.7.33.2 don’t properly invalidate a user’s session even after the user initiated logout. It makes it possible for an attacker to reuse the admin cookies either via local/network access or by other hypothetical attacks.
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation.
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation of this issue could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation.
A vulnerability exists in The EdgeMax EdgeSwitch firmware <v1.9.1 where the EdgeSwitch legacy web interface SIDSSL cookie for admin can be guessed, enabling the attacker to obtain high privileges and get a root shell by a Command injection.
A vulnerability in Parsec Windows 142-0 and Parsec 'Linux Ubuntu 16.04 LTS Desktop' Build 142-1 allows unauthorized users to maintain access to an account.
DomainMOD domainmod-v4.15.0 is affected by an insufficient session expiration vulnerability. On changing a password, both sessions using the changed password and old sessions in any other browser or device do not expire and remain active. Such flaws frequently give attackers unauthorized access to some system data or functionality.
In Lan ATMService M3 ATM Monitoring System 6.1.0, a remote attacker able to use a default cookie value, such as PHPSESSID=LANIT-IMANAGER, can achieve control over the system because of Insufficient Session Expiration.
Mahavitaran android application 7.50 and prior are affected by account takeover due to improper OTP validation, allows remote attackers to control a users account.
Cosmos provides users the ability self-host a home server by acting as a secure gateway to your application, as well as a server manager. Cosmos-server is vulnerable due to to the authorization header used for user login remaining valid and not expiring after log out. This vulnerability allows an attacker to use the token to gain unauthorized access to the application/system even after the user has logged out. This issue has been patched in version 0.13.1.
Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can append arbitrary session id that will not be invalidated by subsequent authentication.
Social media skeleton is an uncompleted/framework social media project implemented using a php, css ,javascript and html. Insufficient session expiration is a web application security vulnerability that occurs when a web application does not properly manage the lifecycle of a user's session. Social media skeleton releases prior to 1.0.5 did not properly limit manage user session lifecycles. This issue has been addressed in version 1.0.5 and users are advised to upgrade. There are no known workarounds for this vulnerability.
An insufficient session expiration in Fortinet FortiOS 7.0.0 - 7.0.12 and 7.2.0 - 7.2.4 allows an attacker to execute unauthorized code or commands via reusing the session of a deleted user in the REST API.
DataHub is an open-source metadata platform. In versions of DataHub prior to 0.8.45 Session cookies are only cleared on new sign-in events and not on logout events. Any authentication checks using the `AuthUtils.hasValidSessionCookie()` method could be bypassed by using a cookie from a logged out session, as a result any logged out session cookie may be accepted as valid and therefore lead to an authentication bypass to the system. Users are advised to upgrade. There are no known workarounds for this issue. This vulnerability was discovered and reported by the GitHub Security lab and is tracked as GHSL-2022-083.
In Siren Investigate before 13.2.2, session keys remain active even after logging out.
Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.
Laravel Booking System Booking Core 2.0 is vulnerable to Session Management. A password change at sandbox.bookingcore.org/user/profile/change-password does not invalidate a session that is opened in a different browser.
Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.
In Anuko Time Tracker v1.19.23.5311, the password reset link emailed to the user doesn't expire once used, allowing an attacker to use the same link to takeover the account.
IBM WebSphere Application Server Liberty 23.0.0.9 through 23.0.0.10 could provide weaker than expected security due to improper resource expiration handling. IBM X-Force ID: 268775.
Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 use guessable session tokens, which are in the URL.
Insufficient Session Expiration in GitHub repository fossbilling/fossbilling prior to 0.5.5.