Reliance on Cookies without Validation and Integrity Checking in erudika/scoold


Reported on

Jul 10th 2021

Reuse of cookies:

The cookies are not expiring after sign out. Once the user signs out of his account, the cookies needs to be expired and should not be any use of reuse. But in this case, an attacker can grab the cookies and use them to log them into a user's account


1)Go to 2)Login using your credentials 3)Now copy the cookies 4)Log out of your account 5)Go to Mozilla and paste the cookies 6)You will be logged into the user's account

P.S: I apologise if I set the permalink wrong, but Iam kind a new to this

We have contacted a member of the erudika/scoold team and are waiting to hear back 2 years ago
sudheendra17 modified the report
2 years ago
2 years ago


That's right - those cookies contain JWTs which only expire when the value of the exp property is reached. This is a "won't fix".

Alex Bogdanovski validated this vulnerability 2 years ago
sudheendra17 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alex Bogdanovski marked this as fixed with commit c25189 2 years ago
Alex Bogdanovski has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation