Session Fixation in tsolucio/corebos

Valid

Reported on

Oct 18th 2021


Description

I created a user with username test then I log in with test

in the same time on another session I delete the user test as an admin.

but the user test that already logged in before that admin delete it is able to do anything that he could do before.

you should kick out the users after delete them and expire their current session.

I notice that there is a option that admins can log out the users but this is not accepted when a admin delete a user, the user after that able to do anything that could before.

We have contacted a member of the tsolucio/corebos team and are waiting to hear back a month ago
We have contacted a member of the tsolucio/corebos team and are waiting to hear back a month ago
amammad modified their report
a month ago
We have sent a follow up to the tsolucio/corebos team. We will try again in 7 days. a month ago
We have sent a follow up to the tsolucio/corebos team. We will try again in 7 days. a month ago
We have sent a second follow up to the tsolucio/corebos team. We will try again in 10 days. a month ago
We have sent a second follow up to the tsolucio/corebos team. We will try again in 10 days. a month ago
Joe Bordes validated this vulnerability a month ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Joe Bordes confirmed that a fix has been merged on fb7c6c a month ago
Joe Bordes has been awarded the fix bounty