062 – Concurrent sessions

Description

The application does not validate the number of active sessions each user has, thus a user can login more than once at the same time. Furthermore, the application does not notify the user when a session has already been initiated nor when a second one commences from a different location.

Impact

Affect the traceability and non-repudiation of the users actions.

Recommendation

The system must restrict the number of concurrent sessions that a user can establish and at the same it must notify the user when a login from a different location occurs.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

30 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): N
• Integrity (VI): L
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 025 - Manage concurrent sessions

Fixes

• Csharp
• Elixir
• Go
• Java
• Php
• Python
• Ruby
• Scala
• Typescript

Last updated

2024/02/09