Session does not expire on logout in plankanban/planka

Valid

Reported on

Aug 27th 2022

Description

Existing session is not invalidated on actions like logout. The fact that the session key is valid for 1 year makes it more dangerous.

Proof of Concept

Login to planka
Record the session token
Logout
Replay an authenticated request with the recorded token. The actions will still be executed.

Impact

The session token is valid for a year. If an attacker has access to the session token then, the attacker can use it to access user account for an year.

References

https://cwe.mitre.org/data/definitions/384.html

We are processing your report and will contact the plankanban/planka team within 24 hours. a year ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago

We have contacted a member of the plankanban/planka team and are waiting to hear back a year ago

Maksim Eltyshev validated this vulnerability a year ago

Niraj Khatiwada has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

We have sent a fix follow up to the plankanban/planka team. We will try again in 7 days. a year ago

Maksim Eltyshev marked this as fixed in 1.8.0 with commit 810993 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation