Lucene search

K
huntrShubh123-tri6951260F-E1C9-4296-8E9E-30636CD5AD88
HistoryFeb 03, 2022 - 7:20 a.m.

in cortezaproject/corteza-server

2022-02-0307:20:57
shubh123-tri
www.huntr.dev
6

Description

During testing it was found that if a user revoke his all active session, then also user is able to make changes to his account.

Proof of Concept

  1. Log in to the application
  2. Go to profile>login sessions and revoke all sessions.
  3. You will see that all other sessions are still valid and the user is able to revoke other user sessions by going to Users>edit>revoke sessions.

Impact

If a victim account is hacked and he wants to revoke all his sessions, but since the configuration provided is not proper, he won’t be able to revoke all active user sessions as attacker is still able to make changes to hacked account.