Session Fixation in filegator/filegator
May 22nd 2022
updateUser function does not reset user's session.
🕵️♂️ Proof of Concept
Use two browsers and on the first, update the second user's session to delete his privileges.
Going to the second, you and refreshing the page, you will that the user have lost his right (until his session get over).
Due to this vulnerability, it won't be possible to properly handle rights management.