We found results for “”
WS-2021-0488
Date: December 15, 2021
Overview
An insufficient session expiration vulnerability in “vc-platform (VirtoCommerce)” application version v2.1 to v3.79.0 may allow an attacker to reuse the unexpired admin user session cookie to gain admin privileges, should the attacker be able to obtain that session cookie (via other, hypothetical attacks).Details
The “vc-platform(VirtoCommerce)” application does not properly invalidate a user’s session on the server after user logout. User sessions remain active on the server, and any requests submitted including the user’s session identifier will execute successfully, as though the user had made those requests.Impact: An attacker can use previously used or available session token to login into the application.
PoC Details
Login to the application with an admin user. Copy the cookies created in above request and save them. Logout from the application. Open the application in a private window and paste the cookies copied before. Refresh the page and notice we are logged in as admin userAffected Environments
v2.1 to 3.79.0Prevention
no fixLanguage: C#
Good to know:
Base Score: |
|
---|---|
Attack Vector (AV): | Network |
Attack Complexity (AC): | High |
Privileges Required (PR): | None |
User Interaction (UI): | None |
Scope (S): | Unchanged |
Confidentiality (C): | High |
Integrity (I): | High |
Availability (A): | High |