Session does not expire on logout in plankanban/planka

Valid

Reported on

Aug 27th 2022


Description

Existing session is not invalidated on actions like logout. The fact that the session key is valid for 1 year makes it more dangerous.

Proof of Concept

  1. Login to planka
  2. Record the session token
  3. Logout
  4. Replay an authenticated request with the recorded token. The actions will still be executed.

Impact

The session token is valid for a year. If an attacker has access to the session token then, the attacker can use it to access user account for an year.

We are processing your report and will contact the plankanban/planka team within 24 hours. 3 months ago
We have contacted a member of the plankanban/planka team and are waiting to hear back 3 months ago
Maksim Eltyshev validated this vulnerability 3 months ago
nerrorsec has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the plankanban/planka team. We will try again in 7 days. 3 months ago
Maksim Eltyshev marked this as fixed in 1.8.0 with commit 810993 3 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation