Mend Vulnerability Database
What is a CVE vulnerability ID? What is a WS vulnerability ID? What is an MSC vulnerability ID?New vulnerability? Tell us about it!
We found results for “”
Date: November 16, 2021
OverviewIn Factor (App Framework & Headless CMS) v1.0.4 to v1.8.30, improperly invalidate a user’s session even after the user logs out of the application. In addition, user sessions are stored in the browser’s local storage, which by default does not have an expiration time. This makes it possible for an attacker to steal and reuse the cookies using techniques such as XSS attacks, followed by an account takeover.
DetailsFactor does not properly invalidate a user’s session even after the user initiates logout. User sessions are stored in “Localstorage”, which by default does have an expiration time, which makes it possible for an attacker to steal and reuse the cookies using techniques such as XSS attacks.
Impact: An attacker can use previously used or available session token to takeover and login as a user in application.
PoC DetailsLogin to the application by going to http://localhost:3000. Go to Inspect > storage > Localstorage, copy the token and save it somewhere. Logout from the application.
Now, again go to Inspect > Storage > Localstorage, and paste the token saved before. Refresh the page. We find that we are logged in to the application.
An attacker may also steal the session stored in localstorage using an XSS vulnerability. The url found in the "POC Code" section logs the token in the browser console.
Affected Environments1.0.4 to 1.8.30
Good to know:
|Attack Vector (AV):||Network|
|Attack Complexity (AC):||Low|
|Privileges Required (PR):||None|
|User Interaction (UI):||None|
|Access Vector (AV):||Network|
|Access Complexity (AC):||Low|