Mend Vulnerability Database
What is a CVE vulnerability ID? What is a WS vulnerability ID? What is an MSC vulnerability ID?New vulnerability? Tell us about it!
We found results for “”
Date: January 3, 2022
OverviewIn Talkyard, regular versions v0.2021.20 through v0.2021.33 and dev versions v0.2021.20 through v0.2021.34, are vulnerable to Insufficient Session Expiration. This may allow an attacker to reuse the admin’s still-valid session token even when logged-out, to gain admin privileges, given the attacker is able to obtain that token (via other, hypothetical attacks)
DetailsSessions in Talkyard are not terminated from the server-side once the user initiates a logout, which makes it possible for an attacker to reuse the admin cookies via other hypothetical attacks.
PoC DetailsAs the victim admin, login with your credentials. Export save the cookie values for later. Then proceed by logging out of the application.
Now, as an attacker, import the admin’s cookie values to the browser. Now refresh the page and you will notice that you are signed as the admin
Affected Environmentsv0.2021.20 through v0.2021.34
PreventionUpgrade to version v0.2021.35
Good to know:
|Attack Vector (AV):||Network|
|Attack Complexity (AC):||Low|
|Privileges Required (PR):||None|
|User Interaction (UI):||None|
|Access Vector (AV):||Network|
|Access Complexity (AC):||Low|