Session Fixation in erudika/scoold

Valid

Reported on

Jul 6th 2021


✍️ Description

Session Fixation vulnerability found in scoold in which it doesn't expire the sessions after password update.

🕵️‍♂️ Proof of Concept

Steps to reproduce:
1. Open the same account in the normal and private tab.
2. Change the password from anyone tab let's say private and then refresh the normal tab.
3. You will see the session doesn't get expired.

💥 Impact

The session doesn't expire even after the victim changes the password.

We have contacted a member of the erudika/scoold team and are waiting to hear back 5 months ago
Alex Bogdanovski validated this vulnerability 5 months ago
x3rz has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alex Bogdanovski confirmed that a fix has been merged on 69b0f1 5 months ago
Alex Bogdanovski has been awarded the fix bounty