Login Sign Up

CWE-613: CWE-613

143
Total CVEs
33
Critical
63
High
7.5
Avg CVSS

Yearly Trend

2026
16
2025
48
2024
28
2023
15
2022
10

Top Affected Vendors

1 Ibm 10
2 Fortinet 8
3 Apache 6
4 Hcltech 4
5 Siemens 3
6 Nagios 3
7 F5 2
8 Cisco 2
9 Dell 2
10 Phpgurukul 2

All CWE-613 CVEs (143)

CVE-2024-8888
10.0

An attacker on the same network as a vulnerable CIRCUTOR Q-SMT device can steal authentication tokens that never expire, allowing unrestricted access ...

Sep 18, 2024
CVE-2024-13996
9.8

Nagios XI versions before 2024R1.1.3 fail to invalidate existing user sessions when passwords are changed, allowing attackers who have compromised a s...

Oct 30, 2025
CVE-2025-54592
9.8

FreshRSS versions 1.26.3 and below have a session management vulnerability where logout doesn't properly invalidate session cookies. This allows attac...

Sep 29, 2025
CVE-2024-43685
9.8

CVE-2024-43685 is an improper authentication vulnerability in Microchip TimeProvider 4100 login modules that allows session hijacking through token fi...

Oct 4, 2024
CVE-2024-42447
9.8

This vulnerability in Apache Airflow's FAB provider prevents users from logging out, potentially allowing unauthorized access to sessions. It affects ...

Aug 5, 2024
CVE-2024-29401
9.8

xzs-mysql 3.8 has insufficient session expiration that allows attackers to reuse deleted admin sessions for unauthorized actions. This affects all dep...

Mar 26, 2024
CVE-2024-25718
9.8

This vulnerability in the Samly package for Elixir allows expired authentication sessions to remain valid, potentially enabling unauthorized access to...

Feb 11, 2024
CVE-2023-5865
9.8

This vulnerability in phpMyFAQ allows attackers to maintain access to user sessions beyond intended expiration times. Attackers can hijack sessions to...

Oct 31, 2023
CVE-2023-5838
9.8

This vulnerability allows attackers to maintain access to user sessions indefinitely due to insufficient session expiration in LinkStack. All users ru...

Oct 29, 2023
CVE-2023-4005
9.8

CVE-2023-4005 is an insufficient session expiration vulnerability in fossbilling that allows attackers to maintain access to user sessions beyond inte...

Jul 31, 2023
CVE-2023-1788
9.8

CVE-2023-1788 is an insufficient session expiration vulnerability in Firefly III personal finance software that allows attackers to maintain access to...

Apr 5, 2023
CVE-2021-25992
9.8

CVE-2021-25992 is a session management vulnerability in Ifme where user sessions remain valid after logout, allowing attackers to reuse admin cookies....

Feb 10, 2022
CVE-2021-22820
9.8

This vulnerability allows attackers to maintain unauthorized access to EV charger web servers even after legitimate users change their passwords. Atta...

Jan 28, 2022
CVE-2021-25981
9.8

CVE-2021-25981 is an insufficient session expiration vulnerability in Talkyard that allows attackers to reuse valid admin session tokens even after lo...

Jan 3, 2022
CVE-2020-27416
9.8

The Mahavitaran Android application versions 7.50 and earlier contain an improper OTP validation vulnerability that allows remote attackers to take ov...

Dec 8, 2021
CVE-2021-25979
9.8

Apostrophe CMS versions before 3.3.1 fail to invalidate existing login sessions when user accounts are disabled or passwords are changed. This allows ...

Nov 8, 2021
CVE-2021-40849
9.8

This vulnerability allows attackers to exploit web services tokens in Mahara to log into associated accounts without proper authentication. This affec...

Nov 3, 2021
CVE-2021-37333
9.8

Laravel Booking System Booking Core 2.0 has a session management vulnerability where changing a user's password doesn't invalidate existing sessions i...

Oct 4, 2021
CVE-2021-38823
9.8

CVE-2021-38823 is a session management vulnerability in IceHrm where admin session tokens remain valid after logout when accessed from different brows...

Oct 4, 2021
CVE-2020-35358
9.8

CVE-2020-35358 is an insufficient session expiration vulnerability in DomainMOD v4.15.0 where user sessions remain active after password changes, allo...

Mar 15, 2021
CVE-2020-6649
9.8

CVE-2020-6649 is an insufficient session expiration vulnerability in Fortinet's FortiIsolator that allows attackers to reuse unexpired admin session I...

Feb 8, 2021
CVE-2021-3311
9.8

CVE-2021-3311 is an authentication bypass vulnerability in October CMS where old session IDs become reactivated after a new login occurs. This allows ...

Feb 5, 2021
CVE-2020-29667
9.8

CVE-2020-29667 allows remote attackers to bypass authentication and gain control over Lan ATMService M3 ATM Monitoring System by using a default sessi...

Dec 10, 2020
CVE-2020-27422
9.8

This vulnerability in Anuko Time Tracker allows attackers to reuse password reset links after they've already been used, enabling account takeover. It...

Nov 16, 2020
CVE-2020-27739
9.8

CVE-2020-27739 is a weak session management vulnerability in Citadel WebCit that allows unauthenticated remote attackers to hijack recently logged-in ...

Oct 28, 2020
CVE-2025-24973
9.3

This vulnerability in Concorde (formerly Nexkey) allows authentication credentials to persist in cookies after logout, enabling attackers to steal aut...

Feb 11, 2025
CVE-2025-56643
9.1

Wiki.js 2.5.307 has a critical authentication flaw where JWT tokens remain valid after logout, allowing session hijacking. Attackers can reuse stolen ...

Nov 18, 2025
CVE-2021-35473
9.1

This vulnerability in LemonLDAP::NG allows attackers to use expired OAuth2 access tokens to bypass authentication and access protected resources. It a...

Nov 10, 2024
CVE-2024-29070
9.1

This vulnerability allows session tokens to remain valid after logout, enabling attackers to reuse stolen or previously obtained 'Authorization' token...

Jul 23, 2024
CVE-2024-35049
9.1

SurveyKing v1.3.1 fails to properly invalidate user sessions after logout, allowing attackers to reuse active sessions. This affects all users of vuln...

May 14, 2024
CVE-2023-31065
9.1

This CVE describes an Insufficient Session Expiration vulnerability in Apache InLong where old sessions remain valid even after user deletion or passw...

May 22, 2023
CVE-2022-24042
9.1

This vulnerability allows attackers to reuse captured authentication tokens beyond their intended expiration time in Siemens Desigo building automatio...

May 10, 2022
CVE-2021-3144
9.1

This vulnerability in SaltStack Salt allows expired eauth tokens to be reused once after expiration, potentially enabling attackers to execute unautho...

Feb 27, 2021
CVE-2025-66289
8.8

OrangeHRM versions 5.0 through 5.7 fail to invalidate active user sessions when accounts are disabled or passwords are changed. This allows disabled u...

Nov 29, 2025
CVE-2025-40566
8.8

This vulnerability allows session hijacking in Siemens SIMATIC PCS neo industrial control systems. An attacker who obtains a valid session token can r...

May 13, 2025
CVE-2025-24859
8.8

Apache Roller versions up to 6.1.4 have a session management vulnerability where active user sessions remain valid after password changes. This allows...

Apr 14, 2025
CVE-2024-45386
8.8

This vulnerability allows session hijacking in Siemens industrial control software. An attacker who obtains a valid session token can reuse it even af...

Feb 11, 2025
CVE-2024-5995
8.8

The Soar Cloud HR Portal sends notification emails containing links with embedded sessions that remain valid for over 7 days due to improper session e...

Jun 14, 2024
CVE-2023-51772
8.8

This vulnerability allows attackers to escape the kiosk mode in One Identity Password Manager and gain SYSTEM-level command execution on Windows clien...

Dec 25, 2023
CVE-2023-49091
8.8

Cosmos-server versions before 0.13.1 have an authentication token expiration flaw where authorization headers remain valid after logout. This allows a...

Nov 29, 2023
CVE-2023-1543
8.8

CVE-2023-1543 is an insufficient session expiration vulnerability in the Answer software that allows attackers to maintain access to user sessions bey...

Mar 21, 2023
CVE-2023-23929
8.8

This vulnerability in vantage6 allows indefinite refresh token validity, enabling attackers with stolen tokens to maintain persistent unauthorized acc...

Mar 4, 2023
CVE-2022-2064
8.8

This vulnerability allows attackers to maintain access to NoCodeDB sessions beyond intended expiration times, potentially leading to unauthorized acce...

Jun 13, 2022
CVE-2022-23669
8.8

CVE-2022-23669 is a remote authorization bypass vulnerability in Aruba ClearPass Policy Manager that allows attackers to bypass authentication mechani...

May 17, 2022
CVE-2022-23063
8.8

This vulnerability allows users who were already logged into Shopizer to maintain access even after their password has been changed, either by themsel...

May 3, 2022
CVE-2022-22113
8.8

DayByDay CRM versions 2.2.0 through 2.2.1 have an insufficient session expiration vulnerability where users remain logged in after password changes. T...

Jan 13, 2022
CVE-2021-25970
8.8

Camaleon CMS versions 0.1.7 through 2.6.0 have an authentication flaw where user sessions remain active even after password changes. This allows previ...

Oct 20, 2021
CVE-2021-25966
8.8

This vulnerability in Orchard Core CMS allows users who were already logged in to maintain access even after their password has been changed. This aff...

Oct 10, 2021
CVE-2021-1501
8.6

This vulnerability allows unauthenticated remote attackers to cause a denial of service by sending crafted SIP traffic through affected Cisco ASA and ...

Apr 29, 2021
CVE-2025-65883
8.4

This vulnerability allows a local network attacker to execute arbitrary commands with root privileges on Genexis Platinum P4410 routers. The issue ste...

Dec 4, 2025

About CWE-613 (CWE-613)

Our database tracks 143 CVEs classified as CWE-613, with 33 rated critical and 63 rated high severity. The average CVSS score for CWE-613 vulnerabilities is 7.5.

External reference: View CWE-613 on MITRE CWE →

Monitor CWE-613 Vulnerabilities

Get alerted when new CWE-613 CVEs affect your infrastructure.

Start Monitoring Free