Insufficient Session Expiration in polonel/trudesk
May 16th 2022
If the admin changes the password of a user and if the user already login so application failed to invalidate the session after changing the password as a result changing the password doesn't destroy the other sessions which are logged in with old passwords.
Proof of Concept
1.Login with the admin user in one browser and log in with the user in another browser.
2.Try to change the user password from the admin side.
3.You will see that after changing the user's password, sessions don't get destroyed where the user logged in with old passwords.
If a user's account got compromised and the user informed the admin to change the password if the admin changed the password still session will not get destroyed and the attacker will have control over the account.