Описание
In Mattermost Focalboard, versions prior to v0.7.5, v0.8.4, v0.9.5, v0.10.1 and v0.11.0-rc1; as used respectively in Mattermost, versions prior to v5.37.6, v5.39.3, v6.0.4, v6.1.1 and v6.2.0, are vulnerable to Insufficient Session Expiration. When a user initiates a logout, their session is not invalidated properly. In addition, user sessions are stored in the browser’s local storage, which by default does not have an expiration time. This makes it possible for an attacker to steal and reuse the cookies using techniques such as XSS attacks, to completely take over a victim account.
In Mattermost Focalboard, versions prior to v0.7.5, v0.8.4, v0.9.5, v0.10.1 and v0.11.0-rc1; as used respectively in Mattermost, versions prior to v5.37.6, v5.39.3, v6.0.4, v6.1.1 and v6.2.0, are vulnerable to Insufficient Session Expiration. When a user initiates a logout, their session is not invalidated properly. In addition, user sessions are stored in the browser’s local storage, which by default does not have an expiration time. This makes it possible for an attacker to steal and reuse the cookies using techniques such as XSS attacks, to completely take over a victim account.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2022-22122
- https://github.com/mattermost/focalboard/commit/0142c114e9325722d6c8e8ca00f10f0f34dd0409
- https://github.com/mattermost/focalboard/commit/0ebc9a4be110764a2510bf886531f21e21b079ea
- https://github.com/mattermost/focalboard/commit/2f08c6782762e58e008bd50f3892cb1cdd1be539
- https://github.com/mattermost/focalboard/commit/6104de5ba51f79d749b9d5406fde5c2983fc5c5c
- https://github.com/mattermost/focalboard/commit/87f4dd224c8736778a8f23788a92471b11da9061
- https://github.com/mattermost/focalboard/commit/a2fab2c1d9b3f61871f6da4dc434a2b19ca9552c
- https://github.com/mattermost/mattermost-server/commit/0a042ca05fefa0584045bab1b7dae102360c98c5
- https://github.com/mattermost/mattermost-server/commit/5f7fd34956ad5bf7e3697a920e377e11c16dda06
- https://github.com/mattermost/mattermost-server/commit/6a4c881450973284c3ed98f39bde4809ddd8a758
- https://github.com/mattermost/mattermost-server/commit/74e87ec3e623202a9654ae164e834cfe26dd6ec3
- https://github.com/mattermost/mattermost-server/commit/7bc182de9eebb708d62b828213144a1aa4560fa0
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22122
CVE ID
Дефекты
Связанные уязвимости
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: This candidate is a reservation duplicate of [CVE-2021-37866]. Notes: All CVE users should reference [CVE-2021-37866] instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage