Session Fixation in erudika/scoold
Jul 6th 2021
Session Fixation vulnerability found in scoold in which it doesn't expire the sessions after password update.
🕵️♂️ Proof of Concept
Steps to reproduce: 1. Open the same account in the normal and private tab. 2. Change the password from anyone tab let's say private and then refresh the normal tab. 3. You will see the session doesn't get expired.
The session doesn't expire even after the victim changes the password.
Alex Bogdanovski validated this vulnerability 2 years ago
x3rz has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alex Bogdanovski marked this as fixed with commit 69b0f1 2 years ago
This vulnerability will not receive a CVE
to join this conversation