You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Insufficient session expiration allows an attacker to reuse old session credentials or session IDs for authorization after a password change. In this scenario, a user's session on a separate tab or device remains active even after the password is changed on another device.
Steps to reproduce the problem
1, Login to the admin account on a normal tab ( TAB A ) and a private tab (TAB B).
2, Change the password on TAB A.
3, There will be an active session on both of the tabs , even after the password change.
What did you expect to happen?
Due to this vulnerability, there is no way for the victim to revoke access of the attacker if the account has been already compromised.
Logs
No response
Environment
Saleor version: 3.19.34
The text was updated successfully, but these errors were encountered:
(Pasting from a reply in Saleor's security mailing list)
The following should be done:
Document the behavior and remediation (storefronts can invoke the tokensDeactivateAll() mutation)
Code change: in a new minor version of Saleor, all mutations that change the password shall invalidate previous sessions (password reset, password change, etc.)
What are you trying to achieve?
Insufficient session expiration allows an attacker to reuse old session credentials or session IDs for authorization after a password change. In this scenario, a user's session on a separate tab or device remains active even after the password is changed on another device.
Steps to reproduce the problem
1, Login to the admin account on a normal tab ( TAB A ) and a private tab (TAB B).
2, Change the password on TAB A.
3, There will be an active session on both of the tabs , even after the password change.
What did you expect to happen?
Due to this vulnerability, there is no way for the victim to revoke access of the attacker if the account has been already compromised.
Logs
No response
Environment
Saleor version: 3.19.34
The text was updated successfully, but these errors were encountered: