/

Insufficient Session Expiration in admidio/admidio

Valid

Reported on

Mar 9th 2022

Description

The application failed to invalidate the session after changing the password and In this scenario changing the password doesn't destroy the other sessions which are logged in with old passwords.

Proof of Concept

1.Login same account in two different browsers.

2.Try to change the password from one browser.

3.You will see after changing the password, sessions don't get destroyed from another browser and it is still logged in with old passwords.

Impact

If a user's account got compromised and he/she tried to change the password still after changing the password session will not destroy and the attacker will have control over the account.

References

nvd

We are processing your report and will contact the admidio team within 24 hours. a year ago

We have contacted a member of the admidio team and are waiting to hear back a year ago

Markus Faßbender validated this vulnerability a year ago

SAMPRIT DAS has been awarded the disclosure bounty

The fix bounty is now up for grabs

commented a year ago

Researcher

You are welcome @maintainer @fasse. As admidio have many past CVE's: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=admidio @admin can you please register a CVE for this report?

commented a year ago

Researcher

@maintainer are you agree?

commented a year ago

Admin

Sure, we can assign a CVE, we just require permission from the maintainer before we proceed 👍

commented a year ago

Researcher

Okay thanks @admin

commented a year ago

Researcher

@maintainer can you please reply

We have sent a fix follow up to the admidio team. We will try again in 7 days. a year ago

A admidio/admidio maintainer

commented a year ago

Maintainer

Yes you can create a CVE. We will release a fixed version today.

commented a year ago

Researcher

@admin Maintainer is agree so can you please register a CVE for this report?

commented a year ago

Admin

CVE assigned! 👍

Once you have confirmed the fix, just give me a ping, and we will get the CVE published too.

commented a year ago

Researcher

@admin Okay thanks

Markus Faßbender marked this as fixed in 4.1.9 with commit e84e47 a year ago

Markus Faßbender has been awarded the fix bounty

This vulnerability will not receive a CVE

commented a year ago

Researcher

@admin The fix has been deployed so can you please publish the CVE?

commented a year ago

Admin

Published!

commented a year ago

Researcher

Thanks @admin

to join this conversation

We are processing your report and will contact the admidio team within 24 hours. a year ago

We have contacted a member of the admidio team and are waiting to hear back a year ago

Markus Faßbender validated this vulnerability a year ago

SAMPRIT DAS has been awarded the disclosure bounty

The fix bounty is now up for grabs

commented a year ago

Researcher

You are welcome @maintainer @fasse. As admidio have many past CVE's: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=admidio @admin can you please register a CVE for this report?

commented a year ago

Researcher

@maintainer are you agree?

commented a year ago

Admin

Sure, we can assign a CVE, we just require permission from the maintainer before we proceed 👍

commented a year ago

Researcher

Okay thanks @admin

commented a year ago

Researcher

@maintainer can you please reply

We have sent a fix follow up to the admidio team. We will try again in 7 days. a year ago

A admidio/admidio maintainer

commented a year ago

Maintainer

Yes you can create a CVE. We will release a fixed version today.

commented a year ago

Researcher

@admin Maintainer is agree so can you please register a CVE for this report?

commented a year ago

Admin

CVE assigned! 👍

Once you have confirmed the fix, just give me a ping, and we will get the CVE published too.

commented a year ago

Researcher

@admin Okay thanks

Markus Faßbender marked this as fixed in 4.1.9 with commit e84e47 a year ago

Markus Faßbender has been awarded the fix bounty

This vulnerability will not receive a CVE

commented a year ago

Researcher

@admin The fix has been deployed so can you please publish the CVE?

commented a year ago

Admin

Published!

commented a year ago

Researcher

Thanks @admin

to join this conversation