Mend Vulnerability Database
What is a CVE vulnerability ID? What is a WS vulnerability ID?New vulnerability? Tell us about it!
We found results for “”
Date: February 10, 2022
OverviewIn Ifme, versions 1.0.0 to v.7.33.2 don’t properly invalidate a user’s session even after the user initiated logout. It makes it possible for an attacker to reuse the admin cookies either via local/network access or by other hypothetical attacks.
DetailsIfme does not properly invalidate a user’s session even after the user initiates logout. It makes it possible for an attacker to reuse the admin cookies either via local/network access or by other hypothetical attacks.
PoC DetailsAccess the application by going to http://localhost:3000/users/sign_in and login with admin creds. Use “editthiscookie” extension and copy the cookie values and then logout of the application. Now, go to “editthiscookie” and import the copied cookies and refresh the page. After we refresh the page, we see that we are again logged in to the account.
Affected Environments1.0.0 to v.7.33.2
PreventionUpdate version to v.7.33.3
Good to know:
|Attack Vector (AV):||Network|
|Attack Complexity (AC):||Low|
|Privileges Required (PR):||None|
|User Interaction (UI):||None|
|Access Vector (AV):||Network|
|Access Complexity (AC):||Low|