Insufficient Session Expiration in fobybus/social-media-skeleton


Reported on

Aug 15th 2023

Insufficient session expiration is a web application security vulnerability that occurs when a web application does not properly manage the lifecycle of a user's session. This can allow an attacker to hijack the user's session and gain unauthorized access to the application. The web application may not have a session timeout set. This means that a user's session will never expire, even if the user is inactive for a long period of time.

Even so, the User is required to log out of the system once the Password Changed event has been processed and completed.


Session hijacking


We are processing your report and will contact the fobybus/social-media-skeleton team within 24 hours. a month ago
We have contacted a member of the fobybus/social-media-skeleton team and are waiting to hear back a month ago
fobybus gave praise a month ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
fobybus validated this vulnerability a month ago
zodiac0704 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
fobybus marked this as fixed in 1.0.5 with commit ea5d19 a month ago
fobybus has been awarded the fix bounty
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Aug 24th 2023
login.php#L37 has been validated
fobybus published this vulnerability a month ago
to join this conversation