| Title | Apereo CAS 6.6 Session Expiration |
|---|
| Description | The web application has a security flaw in its authentication system, allowing session tokens to remain valid even after a user logs out. This means that, even after the session is terminated and the user has exited the system, the authentication token associated with the user can still be used to access protected resources.
When session tokens remain valid after the user logs out, even temporarily, it creates a security gap that can be exploited by malicious attackers. The direct impact of this flaw is that attackers may use these unexpired session tokens to continue accessing protected resources in the application, even without the legitimate user’s permission. This can lead to a range of adverse consequences, such as unauthorized access to sensitive information, manipulation of critical data, or even the execution of malicious actions on behalf of the legitimate user. |
|---|
| Source | ⚠️ https://gist.github.com/0xArthurSouza/ce3b89887b03cc899d5e8cb6e472b04e |
|---|
| User | Arthur Souza (UID 76781) |
|---|
| Submission | 11/05/2024 01:31 (2 years ago) |
|---|
| Moderation | 11/14/2024 07:53 (9 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 284522 [Apereo CAS 6.6 /login?service session expiration] |
|---|
| Points | 20 |
|---|