session not expire after logout (CWE-613). Although https://nvd.nist.gov/vuln/detail/CVE-2022-25590 (fixed on Feb 20, 2022 ) has reported such CVE on version v0.2.0, the fixed patch only concerns the cookie not the session. The latest version(docker-latest, version upload on Nov 10, 2022) still suffers from old session alive after the user logout.
Description
session not expire after logout (CWE-613). Although https://nvd.nist.gov/vuln/detail/CVE-2022-25590 (fixed on Feb 20, 2022 ) has reported such CVE on version v0.2.0, the fixed patch only concerns the cookie not the session. The latest version(docker-latest, version upload on Nov 10, 2022) still suffers from old session alive after the user logout.
Affected Version
v1.3.1, also the version in the latest docker version
updated on Nov 10, 2022
POC:
login
show setting
logout
craft request to modify user information using old session, and success!!