Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-24667

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-03 Feb, 2026 | 16:59
Updated At-04 Feb, 2026 | 16:51
Rejected At-
Credits

Open eClass's Active Sessions Not Invalidated After Password Change Allow Persistent Account Access

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, failure to invalidate active user sessions after a password change allows existing session tokens to remain valid, potentially enabling unauthorized continued access to user accounts. This issue has been patched in version 4.2.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–ĽCommon Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:03 Feb, 2026 | 16:59
Updated At:04 Feb, 2026 | 16:51
Rejected At:
â–ĽCVE Numbering Authority (CNA)
Open eClass's Active Sessions Not Invalidated After Password Change Allow Persistent Account Access

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, failure to invalidate active user sessions after a password change allows existing session tokens to remain valid, potentially enabling unauthorized continued access to user accounts. This issue has been patched in version 4.2.

Affected Products
Vendor
gunet
Product
openeclass
Versions
Affected
  • < 4.2
Problem Types
TypeCWE IDDescription
CWECWE-613CWE-613: Insufficient Session Expiration
Type: CWE
CWE ID: CWE-613
Description: CWE-613: Insufficient Session Expiration
Metrics
VersionBase scoreBase severityVector
3.15.0MEDIUM
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Version: 3.1
Base score: 5.0
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/gunet/openeclass/security/advisories/GHSA-5h73-53mh-m224
x_refsource_CONFIRM
Hyperlink: https://github.com/gunet/openeclass/security/advisories/GHSA-5h73-53mh-m224
Resource:
x_refsource_CONFIRM
â–ĽAuthorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
â–ĽNational Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:03 Feb, 2026 | 18:16
Updated At:10 Feb, 2026 | 18:35

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, failure to invalidate active user sessions after a password change allows existing session tokens to remain valid, potentially enabling unauthorized continued access to user accounts. This issue has been patched in version 4.2.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.15.0MEDIUM
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Type: Secondary
Version: 3.1
Base score: 5.0
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
CPE Matches
gunet
gunet
>>open_eclass_platform>>Versions before 4.2(exclusive)
cpe:2.3:a:gunet:open_eclass_platform:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-613Primarysecurity-advisories@github.com
CWE ID: CWE-613
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/gunet/openeclass/security/advisories/GHSA-5h73-53mh-m224security-advisories@github.com
Vendor Advisory
Hyperlink: https://github.com/gunet/openeclass/security/advisories/GHSA-5h73-53mh-m224
Source: security-advisories@github.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

5Records found
CVE-2026-24669
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-7.8||HIGH
EPSS-0.01% / 1.90%
||
7 Day CHG~0.00%
Published-03 Feb, 2026 | 17:00
Updated-10 Feb, 2026 | 18:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open eClass Insecure Password Reset Token Reuse Enables Account Takeover

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an insecure password reset mechanism allows local attackers to reuse a valid password reset token after it has already been used, enabling unauthorized password changes and potential account takeover. This issue has been patched in version 4.2.

Action-Not Available
Vendor-gunetgunet
Product-open_eclass_platformopeneclass
CWE ID-CWE-613
Insufficient Session Expiration
CVE-2025-62329
Matching Score-4
Assigner-HCL Software
ShareView Details
Matching Score-4
Assigner-HCL Software
CVSS Score-5||MEDIUM
EPSS-0.06% / 17.95%
||
7 Day CHG~0.00%
Published-16 Dec, 2025 | 15:11
Updated-07 Jan, 2026 | 21:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL DevOps Deploy / HCL Launch is susceptible to an insufficient session expiration vulnerability

HCL DevOps Deploy / HCL Launch is susceptible to a race condition in http-session client-IP binding enforcement which may allow a session to be briefly reused from a new IP address before it is invalidated. This could lead to unauthorized access under certain network conditions.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-hcl_launchhcl_devops_deployDevOps Deploy / Launch
CWE ID-CWE-613
Insufficient Session Expiration
CVE-2025-62781
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5||MEDIUM
EPSS-0.05% / 16.58%
||
7 Day CHG~0.00%
Published-27 Oct, 2025 | 21:22
Updated-04 Nov, 2025 | 18:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PILOS is missing session regeneration after password change

PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. Prior to 4.8.0, users with a local account can change their password while logged in. When doing so, all other active sessions are terminated, except for the currently active one. However, the current session’s token remains valid and is not refreshed. If an attacker has previously obtained this session token through another vulnerability, changing the password will not invalidate their access. As a result, the attacker can continue to act as the user even after the password has been changed. This vulnerability is fixed in 4.8.0.

Action-Not Available
Vendor-thmTHM-Health
Product-pilosPILOS
CWE ID-CWE-613
Insufficient Session Expiration
CVE-2025-35433
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
CVSS Score-2.3||LOW
EPSS-0.04% / 11.24%
||
7 Day CHG-0.04%
Published-17 Sep, 2025 | 16:52
Updated-30 Sep, 2025 | 16:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CISA Thorium does not properly invalidate previously used tokens

CISA Thorium does not properly invalidate previously used tokens when resetting passwords. An attacker that possesses a previously used token could still log in after a password reset. Fixed in 1.1.1.

Action-Not Available
Vendor-cisaCISA
Product-thoriumThorium
CWE ID-CWE-613
Insufficient Session Expiration
CVE-2025-36360
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5||MEDIUM
EPSS-0.06% / 17.04%
||
7 Day CHG~0.00%
Published-15 Dec, 2025 | 19:38
Updated-18 Dec, 2025 | 18:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptible to an Insufficient Session Expiration vulnerability

IBM UCD - IBM UrbanCode Deploy 7.1 through 7.1.2.27, 7.2 through 7.2.3.20, and 7.3 through 7.3.2.15 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.10, and 8.1 through 8.1.2.3 is susceptible to a race condition in http-session client-IP binding enforcement which may allow a session to be briefly reused from a new IP address before it is invalidated, potentially enabling unauthorized access under certain network conditions.

Action-Not Available
Vendor-IBM Corporation
Product-devops_deployurbancode_deployUCD - IBM UrbanCode DeployUCD - IBM DevOps Deploy
CWE ID-CWE-613
Insufficient Session Expiration
Details not found