Session does not expire on password reset in ikus060/rdiffweb
Valid
Reported on
Sep 29th 2022
Description
On changing password both session using which user changes password and old sessions in any other browser or device does not expire and remains active
Proof of Concept
1.Go to https://rdiffweb-dev.ikus-soft.com/login/ and login into same account using browser A and B
2.From Browser B change password associated with your account
3.Notice that Session on Browser A will remain active and does not expire.
# Impact
All active sessions must expire on password change to revoke access from attacker if account is compromised
References
We are processing your report and will contact the
ikus060/rdiffweb
team within 24 hours.
7 months ago
The researcher's credibility has increased: +7
We have sent a
fix follow up to the
ikus060/rdiffweb
team.
We will try again in 7 days.
7 months ago
We have sent a
second
fix follow up to the
ikus060/rdiffweb
team.
We will try again in 10 days.
7 months ago
We have sent a
third and final
fix follow up to the
ikus060/rdiffweb
team.
This report is now considered stale.
7 months ago
to join this conversation