Session Fixation in monicahq/monica
May 9th 2021
Recently there was more than 5 reports at huntr showing how to trigger XSS in monica ,the session fixation i am reporting here can be used with these bugs or can be used for post exploitation methods to maintain access on an account even after changing the password of the account.
🕵️♂️ Proof of Concept
- open account in a new tab.
- open same account in a private window or on an another device.
- change the password in one of them and reload the other .
- so we can see the session isn't expiring.
session persists even after user changes password of the account