In Factor (App Framework & Headless CMS) v1.0.4 to v1.8.30, improperly invalidate a user’s session even after the user logs out of the application. In addition, user sessions are stored in the browser’s local storage, which by default does not have an expiration time. This makes it possible for an attacker to steal and reuse the cookies using techniques such as XSS attacks, followed by a local account takeover.
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: Mend
Published: 2021-11-16T09:45:19
Updated: 2021-11-16T09:45:19
Reserved: 2021-01-22T00:00:00
Link: CVE-2021-25985
JSON object: View
NVD Information
Status : Modified
Published: 2021-11-16T10:15:07.167
Modified: 2023-11-07T03:31:33.097
Link: CVE-2021-25985
JSON object: View
Redhat Information
No data.
CWE