Open menghaining opened 5 months ago
SurveyKing deactivate user not effect. After admin deactivating user, user can still operate using old session.
v1.3.1, also the version in the latest docker version
updated at Nov 10, 2022
Attacker obtains user1's sessionid. Admin deactivate user1. Attacker can continue attacking.
user1 login.
admin login and deactivate user1.
user1 can still operate by crafting request with old session.
Description
SurveyKing deactivate user not effect. After admin deactivating user, user can still operate using old session.
Affected version
v1.3.1, also the version in the latest docker version
updated at Nov 10, 2022
Attack vector(s)
Attacker obtains user1's sessionid. Admin deactivate user1. Attacker can continue attacking.
POC
user1 login.
admin login and deactivate user1.
user1 can still operate by crafting request with old session.