Insufficient Session Expiration in admidio/admidio
Mar 9th 2022
The application failed to invalidate the session after changing the password and In this scenario changing the password doesn't destroy the other sessions which are logged in with old passwords.
Proof of Concept
1.Login same account in two different browsers.
2.Try to change the password from one browser.
3.You will see after changing the password, sessions don't get destroyed from another browser and it is still logged in with old passwords.
If a user's account got compromised and he/she tried to change the password still after changing the password session will not destroy and the attacker will have control over the account.