Session is not expiring after password reset in answerdev/answer

Valid

Reported on

Apr 20th 2023

Description

Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization, in this case the session is not getting expired after the password change

Open http://localhost:9080/users/settings/account in multiple browser and login on the both browser with same login creds, here im using chrome & firefox
Change password from firefox browser, after password changed refresh the page on the chrome browser and the session will not expire after password reset

Due to this vulnerability, there is no way for the victim to revoke access of attacker if account has been already compromised

We are processing your report and will contact the answerdev/answer team within 24 hours. 5 months ago

We have contacted a member of the answerdev/answer team and are waiting to hear back 5 months ago

A answerdev/answer maintainer validated this vulnerability 2 months ago

Akshay Ravi has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A answerdev/answer maintainer marked this as fixed in v1.1.0 with commit 4f468b 2 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

A answerdev/answer maintainer published this vulnerability 2 months ago

to join this conversation