Authentication cookie is not renewed after successfully login in instantsoft/icms2

Valid

Reported on

Aug 14th 2023

Description

ICMS62EC2566CC4B5 cookie is still same after log in. The value is not changed or renewed.

Detail:

1/ Access to the web demo and user browser's dev tool to check the cookie.

2/ Observe the value of ICMS62EC2566CC4B5 cookie, try to log in and it is still the same.

Proof of Concept

Link video PoC: https://drive.google.com/file/d/1fjZkjVCNuCTQb-7kEVZs-XJdIkQTgUO9/view?usp=sharing

Impact

A successful session fixation attack gives the attacker access to the victim's account. This could mean access to higher level privileges or the ability to look at sensitive data.

We are processing your report and will contact the instantsoft/icms2 team within 24 hours. a month ago

We have contacted a member of the instantsoft/icms2 team and are waiting to hear back a month ago

A instantsoft/icms2 maintainer validated this vulnerability a month ago

Chuu has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Fuze marked this as fixed in 2.16.1 with commit ca5f15 a month ago

Fuze has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Aug 31st 2023

Fuze published this vulnerability 22 days ago

to join this conversation