Insufficient Session Expiration in flatcore/flatcore-cms


Reported on

Oct 14th 2021


The Cookie before & after user login doesn't change.

Proof of Concept

// PoC
1 Load new website in a new browser

2 Get cookie before login

3 Login to website

4 Get cookie after login

Compare those 2 values


Through other attack methods such as XSS, the attacker can store the user's cookies and access them later.

We have contacted a member of the flatcore/flatcore-cms team and are waiting to hear back 2 years ago
Patrick validated this vulnerability 2 years ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
Patrick marked this as fixed with commit 7942ff 2 years ago
Patrick has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation