Failure to invalidate session after password change in bigbluebutton/greenlight
Jun 29th 2022
The application does not invalidate session after the password is changed which can enable attacker to continue using the compromised session.
Proof of Concept
1)Login to the same accounts in two different browsers (
2)Change password in the 1st browser and you will see that the 2nd browser still validate the session after password change (even after refresh the page). You can do anything with the 2nd browser which use the old password.
Logging in with the new password doesn't invalidate the older session either: I could browse BigBlueButton using two sessions (in two different browsers) which were initiated using two different passwords.
When the password is reset, force logout the user and redirect to login page with a message.