Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrAgnihackersDF06B7D7-6077-43A5-BD81-3CC66F0D4D19
HistoryAug 06, 2022 - 5:53 p.m.

Previously created sessions continue being valid after MFA activation [namelessmc.com]

2022-08-0617:53:12
agnihackers
www.huntr.dev
13

0.002 Low

EPSS

Percentile

56.4%

JSON

Description

  1. Hello Team I found one issue related to your 2FA system on https://namelessmc.com/user/settings/?do=enable_tfa&s=2

Vulnerability Type:

  1. Improper Access Control - Generic

STEP TO REPRODUCE:

  1. 1- access the same account on https://namelessmc.com/ in two devices
  2. 2- on device 'A' go to

https://namelessmc.com/user/settings/?do=enable_tfa&s=2 > complete all steps to change the 2FA system

  • -> Now the 2FA is activated from Phone number/Email
  1. 3- back to device 'B' reload the page
  • -> The session is still active and also I have updated the new email.
  1. 4- For More Details To Check the POC

Proof of Concept:

POC VIDEO

Related

cve 1
prion 1
cvelist 1
osv 1
nvd 1
cve
cve
CVE-2022-2820
2022-08-15 11:21:31
prion
prion
Session fixation
2022-08-15 11:21:00
cvelist
cvelist
CVE-2022-2820 Session Fixation in namelessmc/nameless
2022-08-15 10:30:53
osv
osv
CVE-2022-2820
2022-08-15 11:21:31
nvd
nvd
CVE-2022-2820
2022-08-15 11:21:31

0.002 Low

EPSS

Percentile

56.4%

JSON
Related for DF06B7D7-6077-43A5-BD81-3CC66F0D4D19
cve1prion1cvelist1osv1nvd1