Headline
GHSA-2q2f-h83x-cx3x: Reportico Web fails to invalidate cookies upon logout
An issue in Reportico Web before v.8.1.0. This vulnerability arises from the failure of the web application to properly invalidate session cookies upon logout. When a user logs out of the application, the session cookie should be invalidated to prevent unauthorized access. However, due to the oversight in the application’s implementation, the session cookie remains active even after logout. Consequently, if an attacker obtains the session cookie, they can exploit it to access the user’s session and perform unauthorized actions.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-31556
Reportico Web fails to invalidate cookies upon logout
Moderate severity GitHub Reviewed Published May 14, 2024 to the GitHub Advisory Database • Updated May 14, 2024
Package
composer reportico-web/reportico (Composer)
Affected versions
<= 8.1.0
An issue in Reportico Web before v.8.1.0. This vulnerability arises from the failure of the web application to properly invalidate session cookies upon logout. When a user logs out of the application, the session cookie should be invalidated to prevent unauthorized access. However, due to the oversight in the application’s implementation, the session cookie remains active even after logout. Consequently, if an attacker obtains the session cookie, they can exploit it to access the user’s session and perform unauthorized actions.
References
- https://nvd.nist.gov/vuln/detail/CVE-2024-31556
- reportico-web/reportico#53
Published to the GitHub Advisory Database
May 14, 2024
Last updated
May 14, 2024