301 – Concurrent sessions control bypass

Description

It is possible to bypass concurrent session control by going to any valid URL in the application when the error that there is already a session started appears.

Impact

Access concurrently to the application with the same user causing loss of traceability.

Recommendation

Immediately invalidate previous session when logging in from a new location.

Threat

Malicious actor from intranet.

Expected Remediation Time

30 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: A
• Attack complexity: L
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): N
• Integrity (VI): L
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 025 - Manage concurrent sessions

Fixes

• Csharp
• Elixir
• Go
• Java
• Ruby
• Scala
• Typescript

Last updated

2024/02/19