Session Fixation in erudika/scoold


Reported on

Jul 6th 2021

✍️ Description

Session Fixation vulnerability found in scoold in which it doesn't expire the sessions after password update.

🕵️‍♂️ Proof of Concept

Steps to reproduce:
1. Open the same account in the normal and private tab.
2. Change the password from anyone tab let's say private and then refresh the normal tab.
3. You will see the session doesn't get expired.

💥 Impact

The session doesn't expire even after the victim changes the password.

We have contacted a member of the erudika/scoold team and are waiting to hear back 2 years ago
Alex Bogdanovski validated this vulnerability 2 years ago
x3rz has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alex Bogdanovski marked this as fixed with commit 69b0f1 2 years ago
Alex Bogdanovski has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation