Session Fixation in alovoa/alovoa


Reported on

Sep 16th 2021


On changing password both session using which user changes password and old sessions in any other browser or device does not expire and remains active.

Proof of Concept


  1. Log in to Browser A and make sure to check 'stay logged in to this device' checkbox while logging in.
  2. From Browser B login to your account and change password Notice that Session on Browser Awill remain active and does not expire.


The session doesn't expire even after the victim changes the password. Due to this bug, there is no way for the victim to revoke access of attacker if account has been already compromised.

We have contacted a member of the alovoa team and are waiting to hear back 2 years ago
Nho Quy Dinh validated this vulnerability 2 years ago
Raptor has been awarded the disclosure bounty
The fix bounty is now up for grabs
Nho Quy Dinh marked this as fixed with commit 05cc2b 2 years ago
Nho Quy Dinh has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation