Session is still valid after changing password in fossbilling/fossbilling


Reported on

Jul 11th 2023


The application does not delete the old login session on the server side after changing the password. This poses a risk when a user uses a public computer and an attacker captures the login session. Even if the user has changed the password, the login session is still taken over by the attacker.

Proof of Concept

1 - Log in to 2 different computers

2 - At a computer, perform a password change.

3 - Result: On the other logged in computer, it can still be used normally.

Image POC:


Disable sessions in both client and server after user changes password


Once the session is taken over by an attacker, there is no way to destroy that session even if you change the password.

We are processing your report and will contact the fossbilling team within 24 hours. 2 months ago
Phạm Đăng Chính modified the report
2 months ago
We have contacted a member of the fossbilling team and are waiting to hear back 2 months ago
Belle Aerni validated this vulnerability 2 months ago
Phạm Đăng Chính has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Belle Aerni
2 months ago


Fixed by this PR:

Belle Aerni marked this as fixed in 0.5.5 with commit 20c23b 2 months ago
Belle Aerni has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Jul 31st 2023
Belle Aerni published this vulnerability 2 months ago
to join this conversation