Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

WS-2021-0488

Date: December 15, 2021

Overview

An insufficient session expiration vulnerability in “vc-platform (VirtoCommerce)” application version v2.1 to v3.79.0 may allow an attacker to reuse the unexpired admin user session cookie to gain admin privileges, should the attacker be able to obtain that session cookie (via other, hypothetical attacks).

Details

The “vc-platform(VirtoCommerce)” application does not properly invalidate a user’s session on the server after user logout. User sessions remain active on the server, and any requests submitted including the user’s session identifier will execute successfully, as though the user had made those requests.
Impact: An attacker can use previously used or available session token to login into the application.

PoC Details

Login to the application with an admin user. Copy the cookies created in above request and save them. Logout from the application. Open the application in a private window and paste the cookies copied before. Refresh the page and notice we are logged in as admin user

Affected Environments

v2.1 to 3.79.0

Prevention

no fix

Language: C#

Good to know:

icon

Insufficient Session Expiration

CWE-613
icon

Upgrade Version

No fix version available

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Related Resources (2)

https://github.com/VirtoCommerce/vc-platform/blob/3.79.0/src/VirtoCommerce.Platform.Web/Controllers/Api/SecurityController.cs#L117-L127
https://www.mend.io/vulnerability-database/WS-2021-0488