Insufficient Session Expiration in nocodb/nocodb
Valid
Reported on
Jun 3rd 2022
Description
The application NocoDB failed to invalidate the session after changing the password and In this scenario changing the password doesn't destroy the other sessions which are logged in with old passwords.
Proof of Concept
Login same account in two different browsers.
Try to change the password from browser one.
You will see after changing the password, sessions don't get destroyed from another browser and it is still logged in with old passwords.
poc video
https://drive.google.com/file/d/1gFn8BLktl90v2YfIRTimvFgu2rhNWoTx/view?usp=sharing
Impact
If a user's account got compromised and he/she tried to change the password still after changing the password session will not destroy and the attacker will have control over the account.
References
We are processing your report and will contact the
nocodb
team within 24 hours.
a year ago
Hello @admin the maintainer has provided the email id so can you pls invite them to this report
We have contacted a member of the
nocodb
team and are waiting to hear back
a year ago
Raj modified the report
a year ago
We have sent a
follow up to the
nocodb
team.
We will try again in 7 days.
a year ago
The researcher's credibility has increased: +7
to join this conversation