You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When the admin changes the user's password or changes self password, the old session/token can still be used. This is CWE-613: Insufficient session expiration vulnerability.
现在行为
When the admin changes the user's password or changes self password, the old session/token can still be used. This is CWE-613: Insufficient session expiration vulnerability.
PoC
预期行为
When changing the user's password, ask for a re-login or invalid session/token tied to the old password.
操作系统
Solution
If changing the user's password, also terminate his session or invalidate his authentication token.
position:
cskefu/contact-center/app/src/main/java/com/cskefu/cc/controller/api/ApiUserController.java
Line 255 in 250e1d5
cskefu/contact-center/app/src/main/java/com/cskefu/cc/controller/apps/AppsController.java
Line 271 in 250e1d5
cskefu/contact-center/app/src/main/java/com/cskefu/cc/controller/api/ApiUserController.java
Line 255 in e0992e1
cskefu/contact-center/app/src/main/java/com/cskefu/cc/controller/apps/AppsController.java
Line 288 in e0992e1
代码版本
v7.x, v8.x
The text was updated successfully, but these errors were encountered: