Insufficient Session Expiration in librenms/librenms
Valid
Reported on
Sep 21st 2022
Description
Active user sessions are not invalidated when that user is disabled.
Proof of Concept
Steps to reproduce:
1. Log in with an admin account.
2. Create a test user with the user role `Normal` & enable that user
3. Log in with the test user in a separate browser or private browser window
4. Disable the test user in the admin session
5. Observe that the test user's session is still active in the separate browser and was not invalidated
Impact
An old session can be used by an attacker even after the user has been disabled until it expires.
Occurrences
UserController.php L189-L193
Active sessions should be invalidated after a user has been disabled.
References
We are processing your report and will contact the
librenms
team within 24 hours.
8 months ago
We have contacted a member of the
librenms
team and are waiting to hear back
8 months ago
We have sent a
follow up to the
librenms
team.
We will try again in 7 days.
8 months ago
We have sent a
second
follow up to the
librenms
team.
We will try again in 10 days.
7 months ago
We have sent a
third and final
follow up to the
librenms
team.
This report is now considered stale.
7 months ago
The researcher's credibility has increased: +7
The fix bounty has been dropped
This vulnerability has been assigned a CVE
UserController.php#L189-L193
has been validated
to join this conversation