Insufficient Session Expiration in cortezaproject/corteza-server
Oct 2nd 2021
Set up the cortezaproject in your local machine.
Create the account on corteza
Login using same credentails from chrome and firefox.
Change user password from chrome.
Perform any activity in Firefox the session is still valid.
After changing password, each and every active session that belongs to that particular account must be destroyed!
Thank you for reporting. We were implementing some improvements to how tokens are stored and managed. I will sync internally to see how exactly we want your exact case to look like.
The reported flow holds, but we are not planning on changing it. A user has an option to revoke their sessions at any point if they decide to do so, but we will not revoke them automatically for such cases.
We might add a popup (or something) to ask the user to revoke the sessions for cases such as password changes or logout for a nicer UX (something similar to what Facebook does IIRC).
@admin should this disclosure be considered valid? For us, we would say no.
Same situation here @tjerman. Feel free to mark as invalid if you do not believe this to be a security issue.
The final decision reconsidered this as an issue. Thank you for the disclosure
Thanks for bounty. Will I be getting CVE on this??
@takester - if the maintainer confirms they are happy for a CVE to be published here, we can go ahead and do this for you!