icon

We found results for “

CVE-2021-25992

Date: February 10, 2022

Overview

In Ifme, versions 1.0.0 to v.7.33.2 don’t properly invalidate a user’s session even after the user initiated logout. It makes it possible for an attacker to reuse the admin cookies either via local/network access or by other hypothetical attacks.

Details

Ifme does not properly invalidate a user’s session even after the user initiates logout. It makes it possible for an attacker to reuse the admin cookies either via local/network access or by other hypothetical attacks.

PoC Details

Access the application by going to http://localhost:3000/users/sign_in and login with admin creds. Use “editthiscookie” extension and copy the cookie values and then logout of the application. Now, go to “editthiscookie” and import the copied cookies and refresh the page. After we refresh the page, we see that we are again logged in to the account.

Affected Environments

1.0.0 to v.7.33.2

Prevention

Update version to v.7.33.3

Language: Ruby

Good to know:

icon

Insufficient Session Expiration

CWE-613
icon

Upgrade Version

Upgrade to version v7.33.3

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (AU): None
Confidentiality (C): Partial
Integrity (I): Partial
Availability (A): Partial
Additional information: