CWE-613
Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
We have discovered 4,295 live websites that are affected by CWE-613.
CVEs
- Count - 10
CWE References
Website Distribution by Country
Number of websites using CWE-613 United States | 2,389 websites |
 France | 291 websites |
 Germany | 283 websites |
 GB | 150 websites |
 Canada | 122 websites |
 Japan | 89 websites |
 Singapore | 81 websites |
 Turkey | 73 websites |
 Italy | 62 websites |
 Qatar | 62 websites |
Website Distribution by TLD
Number of websites using CWE-613| .com | 1,671 websites |
| .org | 550 websites |
| .net | 149 websites |
| .ca | 89 websites |
| .co.uk | 81 websites |
| .de | 63 websites |
| .io | 61 websites |
| .it | 53 websites |
| .com.au | 42 websites |
| .fr | 41 websites |
Newest CVEs
List of the most recent CVEs that are part of CWE-613| Discovered | CVE | Description | Websites |
|---|---|---|---|
| Oct, 2025 | CVE-2025-62174 | Mastodon allows continued access after password reset via CLI | 976 |
| Apr, 2025 | CVE-2025-1968 | Insufficient Session Expiration vulnerability in Progress Software Corporation Sitefinity under some... | 1,054 |
| Feb, 2025 | CVE-2025-24896 | Misskey allows token to remain valid in cookie after signing out | 6 |
| Jan, 2025 | CVE-2024-11627 | : Insufficient Session Expiration vulnerability in Progress Sitefinity allows : Session Fixation.Thi... | 2,000 |
| Feb, 2024 | CVE-2024-25619 | Destroying OAuth Applications doesn't notify Streaming of Access Tokens being destroyed in mastodon | 64 |
| Jan, 2023 | CVE-2022-46177 | Discourse password reset link can lead to in account takeover if user changes to a new email | 779 |
| Nov, 2022 | CVE-2022-39234 | user session persists even after permanently deleting account in GLPI | 50 |
| Jun, 2022 | CVE-2022-31050 | Insufficient Session Expiration in TYPO3 Admin Tool | 1 |
| Jan, 2021 | CVE-2020-15220 | Session fixation | 4 |
| Jan, 2021 | CVE-2020-15218 | Admin pages are cached and can be embedded | 4 |
The most widespread CVEs
List of the most common CVEs that are part of CWE-613| Discovered | CVE | Description | Websites |
|---|---|---|---|
| Jan, 2025 | CVE-2024-11627 | : Insufficient Session Expiration vulnerability in Progress Sitefinity allows : Session Fixation.Thi... | 2,000 |
| Apr, 2025 | CVE-2025-1968 | Insufficient Session Expiration vulnerability in Progress Software Corporation Sitefinity under some... | 1,054 |
| Oct, 2025 | CVE-2025-62174 | Mastodon allows continued access after password reset via CLI | 976 |
| Jan, 2023 | CVE-2022-46177 | Discourse password reset link can lead to in account takeover if user changes to a new email | 779 |
| Feb, 2024 | CVE-2024-25619 | Destroying OAuth Applications doesn't notify Streaming of Access Tokens being destroyed in mastodon | 64 |
| Nov, 2022 | CVE-2022-39234 | user session persists even after permanently deleting account in GLPI | 50 |
| Feb, 2025 | CVE-2025-24896 | Misskey allows token to remain valid in cookie after signing out | 6 |
| Jan, 2021 | CVE-2020-15218 | Admin pages are cached and can be embedded | 4 |
| Jan, 2021 | CVE-2020-15220 | Session fixation | 4 |
| Jun, 2022 | CVE-2022-31050 | Insufficient Session Expiration in TYPO3 Admin Tool | 1 |
Websites affected by CWE-613
Top websites that are affected by CWE-613. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *****.net | Germany | *** | |
| *********.net | GB | *,*** | |
| ***.gov | United States | *,*** | |
| **************.com | United States | *,*** | |
| ***.org | United States | **,*** | |
| *******.***.gov | United States | **,*** | |
| *****.org | United States | **,*** | |
| ************.com | United States | **,*** | |
| *******.org | United States | **,*** | |
| **********.org | United States | **,*** |