Encountered Session Fixation bug in userfrosting/UserFrosting repo. As per certain CVEs present Session Fixation is a medium to High Severity bug.
Proof of Concept
- setup UserFrosting platform to reproduce the vulnerability
- open an account in multiple browsers like 2 different private modes of chrome and firefox.
- login the same account in both browsers.
- change the password of the account in one browser, meanwhile, try to reload the same account in the other browser.
- we can see the old session still works and that there is no new session created for the change of password.
An attacker is able to maintain access with old sessions even if the security of the account is updated.