CVE-2023-45659

Published: Oct 17, 2023Modified: Nov 21, 2024

2.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Exploitability: 1.3 / Impact: 1.4

Source: NVD

Description

Engelsystem is a shift planning system for chaos events. If a users' password is compromised and an attacker gained access to a users' account, i.e., logged in and obtained a session, an attackers' session is not terminated if the users' account password is reset. This vulnerability has been fixed in the commit `dbb089315ff3d`. Users are advised to update their installations. There are no known workarounds for this vulnerability.

Affected (1)

Products: Engelsystem: Engelsystem

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Engelsystem Engelsystem	Before 2023-09-18

Related CWEs

Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

References (4)

https://github.com/engelsystem/engelsystem/commit/dbb089315ff3d8aabc11445e78fb50765208b27d

Source: security-advisories@github.com

Patch

https://github.com/engelsystem/engelsystem/security/advisories/GHSA-f6mm-3v2h-jm6x

Source: security-advisories@github.com

ExploitVendor Advisory

https://github.com/engelsystem/engelsystem/commit/dbb089315ff3d8aabc11445e78fb50765208b27d

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/engelsystem/engelsystem/security/advisories/GHSA-f6mm-3v2h-jm6x

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitVendor Advisory

Timeline

No history available yet.