Insufficient Session Expiration in fobybus/social-media-skeleton

Valid

Reported on

Aug 15th 2023

Insufficient session expiration is a web application security vulnerability that occurs when a web application does not properly manage the lifecycle of a user's session. This can allow an attacker to hijack the user's session and gain unauthorized access to the application. The web application may not have a session timeout set. This means that a user's session will never expire, even if the user is inactive for a long period of time.

Even so, the User is required to log out of the system once the Password Changed event has been processed and completed.

Impact

Session hijacking

Occurrences

References

https://cwe.mitre.org/data/definitions/613.html

We are processing your report and will contact the fobybus/social-media-skeleton team within 24 hours. a month ago

We have contacted a member of the fobybus/social-media-skeleton team and are waiting to hear back a month ago

fobybus gave praise a month ago

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

fobybus validated this vulnerability a month ago

zodiac0704 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

fobybus marked this as fixed in 1.0.5 with commit ea5d19 a month ago

fobybus has been awarded the fix bounty

This vulnerability will not receive a CVE

This vulnerability is scheduled to go public on Aug 24th 2023

fobybus published this vulnerability a month ago

to join this conversation