068 – Insecure session expiration time

Description

User sessions do not expire after 5 minutes of inactivity.

Impact

- Obtain user information. - Upload files to the application without authorization.

Recommendation

Close the sessions when they remain inactive more than 5 minutes.

Threat

Anonymous attacker from local network with access to an unatended session.

Expected Remediation Time

60 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: L
• Attack complexity: L
• Attack Requirements: N
• Privileges required: N
• User interaction: A
• Confidentiality (VC): L
• Integrity (VI): L
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 023 - Terminate inactive user sessions

Fixes

• Csharp
• Dart
• Elixir
• Go
• Java
• Php
• Python
• Ruby
• Scala
• Swift
• Typescript

Last updated

2024/02/09