Mend Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2021-25985

Date: November 16, 2021

Overview

In Factor (App Framework & Headless CMS) v1.0.4 to v1.8.30, improperly invalidate a user’s session even after the user logs out of the application. In addition, user sessions are stored in the browser’s local storage, which by default does not have an expiration time. This makes it possible for an attacker to steal and reuse the cookies using techniques such as XSS attacks, followed by an account takeover.

Details

Factor does not properly invalidate a user’s session even after the user initiates logout. User sessions are stored in “Localstorage”, which by default does have an expiration time, which makes it possible for an attacker to steal and reuse the cookies using techniques such as XSS attacks.
Impact: An attacker can use previously used or available session token to takeover and login as a user in application.

PoC Details

Login to the application by going to http://localhost:3000. Go to Inspect > storage > Localstorage, copy the token and save it somewhere. Logout from the application.
Now, again go to Inspect > Storage > Localstorage, and paste the token saved before. Refresh the page. We find that we are logged in to the application.
An attacker may also steal the session stored in localstorage using an XSS vulnerability. The url found in the "POC Code" section logs the token in the browser console.

PoC Code

http://localhost:3000/?category=%3Cscript%3Evar%20retrievedObject%20%3D%20localStorage.getItem%28%27token%27%29%3Bconsole.log%28%27retrievedObject%3A%20%27%2C%20JSON.parse%28retrievedObject%29%29%3B%3C%2Fscript%3E

Affected Environments

1.0.4 to 1.8.30

Prevention

No fix

Language: VUE

Good to know:

icon

Insufficient Session Expiration

CWE-613
icon

Upgrade Version

Upgrade to version @factor/cli - 3.0.1

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (AU): None
Confidentiality (C): Partial
Integrity (I): Partial
Availability (A): Partial
Additional information:

Related Resources (4)

https://github.com/FactorJS/factor/blob/v1.8.30/@factor/user/util.ts#L65
https://nvd.nist.gov/vuln/detail/CVE-2021-25985
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25985
https://www.mend.io/vulnerability-database/CVE-2021-25985