CVE-2024-31556 – reportico-web/reportico

Package

Manager: composer
Name: reportico-web/reportico
Vulnerable Version: >=0 <=8.1.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00084 pctl0.25227

Details

Reportico Web fails to invalidate cookies upon logout An issue in Reportico Web before v.8.1.0. This vulnerability arises from the failure of the web application to properly invalidate session cookies upon logout. When a user logs out of the application, the session cookie should be invalidated to prevent unauthorized access. However, due to the oversight in the application's implementation, the session cookie remains active even after logout. Consequently, if an attacker obtains the session cookie, they can exploit it to access the user's session and perform unauthorized actions.

Metadata

Created: 2024-05-14T21:34:44Z
Modified: 2024-05-14T22:32:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-2q2f-h83x-cx3x/GHSA-2q2f-h83x-cx3x.json
CWE IDs: ["CWE-269", "CWE-613"]
Alternative ID: GHSA-2q2f-h83x-cx3x
Finding: F280
Auto approve: 1