CVE-2021-25966

Overview

In “Orchard core CMS” application, versions 1.0.0-beta1-3383 to 1.0.0 are vulnerable to an improper session termination after password change. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed.

Details

The “Calibre-web” application is vulnerable to “Cross site request forgery”. By forcing an authenticated user to submit a request , it is possible to create a new user role with admin privileges.

PoC Details

For demonstration purposes we will use two users:
1. Alice, a user of the application.
2. Admin, an administrator user.
Login into the application as Alice, and in another browser login in as Admin.
As Admin, navigate to the “Users”' tab under the “Security” section on the left panel. You can see Alice listed there. Press on “Edit Password” for Alice, and change the password.
Meanwhile, Alice is connected on a different browser, and can still access the account and perform some actions (upload pages, etc..) even after the password has been changed.

Affected Environments

OrchardCore versions versions 1.0.0-beta1-3383 to 1.0.0

Remediation

Make sure the current session of a user gets invalidated when their password is changed, and cannot be reused.

Prevention

No fix was provided by the maintainer.