Previously created sessions continue being valid after MFA activation [namelessmc.com] in namelessmc/nameless
Valid
Reported on
Aug 6th 2022
Description
- Hello Team I found one issue related to your 2FA system on
https://namelessmc.com/user/settings/?do=enable_tfa&s=2
Vulnerability Type:
- Improper Access Control - Generic
STEP TO REPRODUCE:
- 1- access the same account on
https://namelessmc.com/in two devices - 2- on device
'A'go to
https://namelessmc.com/user/settings/?do=enable_tfa&s=2 > complete all steps to change the 2FA system
- -> Now the 2FA is activated from Phone number/Email
- 3- back to device
'B'reload the page
- -> The session is still active and also I have updated the new email.
- 4- For More Details To Check the POC
Proof of Concept:
Impact
- In this scenario when 2FA is changing the other sessions of the account are not invalidated.
- 2FA is required to login. I believe the expected and recommended behavior here is to terminate the other sessions> request a new login> request the 2FA code> so then give the account access again
Occurrences
References
We are processing your report and will contact the
namelessmc/nameless
team within 24 hours.
9 months ago
The researcher's credibility has increased: +7
@Sam @maintainer are you happy to assign a CVE? please confirm, then only admin can move further
Happy to assign a CVE once we get the go-ahead from the maintainer 👍
@maintainer are you happy to assign a CVE ? Please confirm
We have sent a
fix follow up to the
namelessmc/nameless
team.
We will try again in 7 days.
9 months ago
Hi, apologies for the delay.
Yes I am happy to go ahead with assigning a CVE.
settings.php#L24-L135
has been validated
@admin maintainer as given the permission for assigning CVE. So please assign a CVE for this report
@admin waiting for bounty . This is High vulnerability.
There is no bounty for this report. You should see the potential bounty for a report when you submit it.
to join this conversation