Insufficient Session Expiration in polonel/trudesk

Valid

Reported on

May 16th 2022

Description

If the admin changes the password of a user and if the user already login so application failed to invalidate the session after changing the password as a result changing the password doesn't destroy the other sessions which are logged in with old passwords.

Proof of Concept

1.Login with the admin user in one browser and log in with the user in another browser.

2.Try to change the user password from the admin side.

3.You will see that after changing the user's password, sessions don't get destroyed where the user logged in with old passwords.

Video PoC

https://drive.google.com/file/d/16ECM2nkoSVpPAPkkxC6pFsvtQUrTbj9Q/view?usp=sharing

Impact

If a user's account got compromised and the user informed the admin to change the password if the admin changed the password still session will not get destroyed and the attacker will have control over the account.

References

We are processing your report and will contact the polonel/trudesk team within 24 hours. 2 years ago
polonel/trudesk maintainer has acknowledged this report 2 years ago
Chris validated this vulnerability 2 years ago
SAMPRIT DAS has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Chris
2 years ago

Maintainer

This is fixed in v1.2.2. I will update this report once it is released.

SAMPRIT DAS
2 years ago

Researcher

Okay, thanks @maintainer

We have sent a fix follow up to the polonel/trudesk team. We will try again in 7 days. 2 years ago
Chris marked this as fixed in 1.2.2 with commit 7f4eac 2 years ago
Chris has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation