Session is not expiring after password resetting in linkstackorg/linkstack

Valid

Reported on

Sep 24th 2023


Description

Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs, in this case the session is not getting expired after the password change

Proof of Concept

  1. Open http://localhost:8188/studio/profile in 2 browsers (I use Firefox and Chromium)
  2. Log in using these both browser with same login credentials
  3. Change password from the Firefox browser
  4. After password changed, refresh the page on the Chromium browser
  5. Observe that the session will not expire after password resetting

Proof of Concept (Video)

poc-linkstack-pw-change.gif

Impact

There is no way for the victim to revoke access of attacker if account has been already compromised

We are processing your report and will contact the linkstackorg/linkstack team within 24 hours. 5 months ago
We have contacted a member of the linkstackorg/linkstack team and are waiting to hear back 5 months ago
linkstackorg/linkstack maintainer has acknowledged this report 5 months ago
Julian Prieber validated this vulnerability 5 months ago
sev-hack has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Julian Prieber marked this as fixed in v4.2.9 with commit 02f620 5 months ago
The fix bounty has been dropped
This vulnerability has now been published 4 months ago
to join this conversation