Insufficient Session Expiration

derhansen/fechangepwd uses insecure session management. The vulnerability exists because the updatePassword functions in FrontendUserService.php fails to revoke existing sessions for the current user when the password has been changed, allowing an attacker to bypass the authentication mechanism...

CVE-2020-13302

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Under certain conditions GitLab was not properly revoking user sessions and allowed a malicious user to access a user account with an old password...