Session Fixation in gunet/openeclass


Reported on

Sep 29th 2021


The Cookie before & after user login doesn't change

Proof of Concept

// PoC.js
1 Load website in a new browser
2 Get cookie before login
3 Login to website
4 Get cookie after login
Compare those 2 values


Through other attack methods such as XSS, the attacker can store the user's cookies and access them later.

We created a GitHub Issue asking the maintainers to create a 2 years ago
We have contacted a member of the gunet/openeclass team and are waiting to hear back 2 years ago
gunet/openeclass maintainer validated this vulnerability 2 years ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
gunet/openeclass maintainer marked this as fixed with commit 21105c 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
gunet/openeclass maintainer
2 years ago


Thanks for the report! We have applied a fix to the next release branch (3.12.x) and will be porting it forward to the default (4.0 future release) branch.

2 years ago


You're welcome ^^

to join this conversation