Insufficient Session Expiration in librenms/librenms
Sep 21st 2022
Active user sessions are not invalidated when that user is disabled.
Proof of Concept
Steps to reproduce:
1. Log in with an admin account. 2. Create a test user with the user role `Normal` & enable that user 3. Log in with the test user in a separate browser or private browser window 4. Disable the test user in the admin session 5. Observe that the test user's session is still active in the separate browser and was not invalidated
An old session can be used by an attacker even after the user has been disabled until it expires.