Insufficient Session Expiration in elgg/elgg

Valid

Reported on

Oct 4th 2022

Description

Active sessions are not invalidated after a password change or after an admin resets the user's password.

Proof of Concept

Steps to reproduce:

1. Log in to Elgg with any user
2. Do the same in another browser or a private window, such that there are two different active sessions
3. Update the user's password in either of the two sessions
4. Observe that the other session is still active and was not invalidated

This issue also exists when an admin changes or resets an account's password.

Impact

An old session can be used by an attacker even after the password has been changed or reset. A password change is a way to react to an account breach and should guarantee that the attacker no longer has access. However, in this case the session is still active and the attacker can perform all actions tied to that session until it expires.

References

CWE-613 - Insufficient Session Expiration

We are processing your report and will contact the elgg team within 24 hours. a year ago

We have contacted a member of the elgg team and are waiting to hear back a year ago

A elgg/elgg maintainer has acknowledged this report a year ago

Jerôme Bakker validated this vulnerability a year ago

Thanks for reporting. We're looking into fixing this

vautia has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Jerôme Bakker marked this as fixed in 3.3.25 with commit d8a860 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation