Headline
CVE-2023-45659: Session is not expiring after password reset
Engelsystem is a shift planning system for chaos events. If a users’ password is compromised and an attacker gained access to a users’ account, i.e., logged in and obtained a session, an attackers’ session is not terminated if the users’ account password is reset. This vulnerability has been fixed in the commit dbb089315ff3d
. Users are advised to update their installations. There are no known workarounds for this vulnerability.
Impact
If a users’ password is compromised and an attacker gained access to a users’ account, i.e., logged in and obtained a session, an attackers’ session is not terminated if the users’ account password is reset.
Patches
This vulnerability has been fixed in the following commit: dbb0893
Workarounds
There are no workarounds available. Users are advised to upgrade to at least dbb0893
PoC by Eugene Shein
After setting up an engelsystem instance on http://localhost:5080/settings/password, open http://localhost:5080/settings/password in 2 browsers (I use Firefox and Chromium)
Log in using these both browser with same login credentials
Change password from the Firefox browser
After password changed, refresh the page on the Chromium browser
Observe that the session will not expire after password resetting
Video
Acknowledgements
This issue has been reported by Eugene Shein.