Session Fixation in tsolucio/corebos

Valid

Reported on

Oct 18th 2021


Description

I created a user with username test then I log in with test

in the same time on another session I delete the user test as an admin.

but the user test that already logged in before that admin delete it is able to do anything that he could do before.

you should kick out the users after delete them and expire their current session.

I notice that there is a option that admins can log out the users but this is not accepted when a admin delete a user, the user after that able to do anything that could before.

We have contacted a member of the tsolucio/corebos team and are waiting to hear back a year ago
amammad modified the report
a year ago
We have sent a follow up to the tsolucio/corebos team. We will try again in 7 days. a year ago
We have sent a second follow up to the tsolucio/corebos team. We will try again in 10 days. a year ago
Joe Bordes validated this vulnerability a year ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Joe Bordes confirmed that a fix has been merged on fb7c6c a year ago
Joe Bordes has been awarded the fix bounty
to join this conversation