Session Fixation in erudika/scoold

Valid

Reported on

Jul 6th 2021

✍️ Description

Session Fixation vulnerability found in scoold in which it doesn't expire the sessions after password update.

🕵️‍♂️ Proof of Concept

Steps to reproduce:
1. Open the same account in the normal and private tab.
2. Change the password from anyone tab let's say private and then refresh the normal tab.
3. You will see the session doesn't get expired.

💥 Impact

The session doesn't expire even after the victim changes the password.

Occurrences

SigninController.java L46

We have contacted a member of the erudika/scoold team and are waiting to hear back 2 years ago

Alex Bogdanovski validated this vulnerability 2 years ago

x3rz has been awarded the disclosure bounty

The fix bounty is now up for grabs

Alex Bogdanovski marked this as fixed with commit 69b0f1 2 years ago

Alex Bogdanovski has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation