Session Fixation in chatwoot/chatwoot
Jul 5th 2021
The application is vulnerable to Session Fixation vulnerability even after a user changes its password the old sessions on other devices persist.
🕵️♂️ Proof of Concept
- open chatwoot and login to your account on multiple browsers
- change the password of the account on one of them and reload the other
- due to insufficient session expiration, we will not be logged out of the account in the other browser.
The session will not expire even after changing the password