Insufficient Session Expiration in flatcore/flatcore-cms

Valid

Reported on

Oct 14th 2021


Description

The Cookie before & after user login doesn't change.

Proof of Concept

// PoC
1 Load new website in a new browser

2 Get cookie before login

3 Login to website

4 Get cookie after login

Compare those 2 values

Impact

Through other attack methods such as XSS, the attacker can store the user's cookies and access them later.

We have contacted a member of the flatcore/flatcore-cms team and are waiting to hear back a month ago
Patrick validated this vulnerability a month ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
Patrick confirmed that a fix has been merged on 7942ff a month ago
Patrick has been awarded the fix bounty