We found results for “


Date: October 10, 2021


In “Orchard core CMS” application, versions 1.0.0-beta1-3383 to 1.0.0 are vulnerable to an improper session termination after password change. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed.


The “Calibre-web” application is vulnerable to “Cross site request forgery”. By forcing an authenticated user to submit a request , it is possible to create a new user role with admin privileges.

PoC Details

For demonstration purposes we will use two users:
1. Alice, a user of the application.
2. Admin, an administrator user.
Login into the application as Alice, and in another browser login in as Admin.
As Admin, navigate to the “Users”' tab under the “Security” section on the left panel. You can see Alice listed there. Press on “Edit Password” for Alice, and change the password.
Meanwhile, Alice is connected on a different browser, and can still access the account and perform some actions (upload pages, etc..) even after the password has been changed.

Affected Environments

OrchardCore versions versions 1.0.0-beta1-3383 to 1.0.0


Make sure the current session of a user gets invalidated when their password is changed, and cannot be reused.


No fix was provided by the maintainer.

Language: C#

Good to know:


Insufficient Session Expiration


Upgrade Version

No fix version available

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (AU): Single
Confidentiality (C): Partial
Integrity (I): Partial
Availability (A): Partial
Additional information: