Reported on

Jun 19th 2021

✍️ Description

Application does not destroy session cookie after log out. An attacker can use the old cookie of any user to to manipulate application data even after log out.

🕵️‍♂️ Proof of Concept

1. Login to the application and copy the session cookie from the request.
2. Now logout from the application.
3. Now use the same cookie to perform any critical action in the application. Application will still accept the old cookie.

💥 Impact

If an attacker got any cookie by any mean then they can use those cookie to manipulate the application data on their behalf even if user change the password or logout the application.


We have contacted a member of the amirsanni/mini-inventory-and-sales-management-system team and are waiting to hear back a year ago
Amir validated this vulnerability a year ago
Akshay Jain has been awarded the disclosure bounty
The fix bounty is now up for grabs
Amir confirmed that a fix has been merged on 8a995d 10 months ago
Amir has been awarded the fix bounty
Session.php#L49-L177 has been validated
to join this conversation