.jpeg)
Summary:
While conducting my research I discovered that the application Failed to validate session after password change. In this scenario changing the password doesn't destroys the other sessions which are logged in with old passwords in another browser
Steps To Reproduce:
1) Login with the same account in Chrome and Firefox Simultaneously
2) Change the pass in Chrome Browser
3) Go to firefox and Update any information you got an error then refresh the tab ,after change informations . Information will be update.
-----> If attacker login with firefox and user know his password stolen so even user change their password, his account remain insecure and attacker have full access of victim account.
Impact
If attacker login with firefox and user know his password stolen so even user change their password, change name ,user name,enable multifacor,attacker can delete victim account,his account remain insecure and attacker have full access of victim account.
Post a Comment