Session Fixation in monicahq/monica

Valid

Reported on

May 9th 2021


✍️ Description

Recently there was more than 5 reports at huntr showing how to trigger XSS in monica ,the session fixation i am reporting here can be used with these bugs or can be used for post exploitation methods to maintain access on an account even after changing the password of the account.

🕵️‍♂️ Proof of Concept

  • open account in a new tab.
  • open same account in a private window or on an another device.
  • change the password in one of them and reload the other .
  • so we can see the session isn't expiring.

💥 Impact

session persists even after user changes password of the account

Ajmal
a year ago

Researcher


POC screenshot

Ajmal
a year ago

Researcher


https://discord.com/channels/698921711738945587/749019614352244777/854673791895863347

Ajmal
a year ago

Researcher


new link : https://drive.google.com/file/d/1E0O1OQqoxZ8S034pb4ELPL37M-0afxUz/view?usp=sharing

Ajmal
a year ago

Researcher


please try try this if the above one don't works https://drive.google.com/file/d/1E0O1OQqoxZ8S034pb4ELPL37M-0afxUz/view?usp=sharing

Alexis Saettler validated this vulnerability a year ago
Ajmal Aboobacker has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alexis Saettler
a year ago

Maintainer


Thank you for the submit

Alexis Saettler confirmed that a fix has been merged on a4c037 a year ago
Alexis Saettler has been awarded the fix bounty
to join this conversation