Session is not expiring after password reset in answerdev/answer


Reported on

Apr 20th 2023


  1. Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization, in this case the session is not getting expired after the password change

Steps to reproduce :

  1. Open http://localhost:9080/users/settings/account in multiple browser and login on the both browser with same login creds, here im using chrome & firefox
  2. Change password from firefox browser, after password changed refresh the page on the chrome browser and the session will not expire after password reset



  1. Due to this vulnerability, there is no way for the victim to revoke access of attacker if account has been already compromised
We are processing your report and will contact the answerdev/answer team within 24 hours. 5 months ago
We have contacted a member of the answerdev/answer team and are waiting to hear back 5 months ago
answerdev/answer maintainer validated this vulnerability 2 months ago
Akshay Ravi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
answerdev/answer maintainer marked this as fixed in v1.1.0 with commit 4f468b 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
answerdev/answer maintainer published this vulnerability 2 months ago
to join this conversation