Session Fixation in monicahq/monica

Valid

Reported on

May 9th 2021

✍️ Description

Recently there was more than 5 reports at huntr showing how to trigger XSS in monica ,the session fixation i am reporting here can be used with these bugs or can be used for post exploitation methods to maintain access on an account even after changing the password of the account.

🕵️‍♂️ Proof of Concept

  • open account in a new tab.
  • open same account in a private window or on an another device.
  • change the password in one of them and reload the other .
  • so we can see the session isn't expiring.

💥 Impact

session persists even after user changes password of the account

Ajmal
3 years ago

Researcher

POC screenshot

Ajmal
2 years ago

Researcher

https://discord.com/channels/698921711738945587/749019614352244777/854673791895863347

Ajmal
2 years ago

Researcher

new link : https://drive.google.com/file/d/1E0O1OQqoxZ8S034pb4ELPL37M-0afxUz/view?usp=sharing

Ajmal
2 years ago

Researcher

please try try this if the above one don't works https://drive.google.com/file/d/1E0O1OQqoxZ8S034pb4ELPL37M-0afxUz/view?usp=sharing

Alexis Saettler validated this vulnerability 2 years ago
Ajmal Aboobacker has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alexis Saettler
2 years ago

Thank you for the submit

Alexis Saettler marked this as fixed with commit a4c037 2 years ago
Alexis Saettler has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation