Comment 4 for bug 1363873

Is the CVE I'd confirmed for this? Is this CVE ID allocated to me?

On Nov 8, 2017 9:24 AM, "Kristina Hoeppner" <email address hidden>
wrote:

> ** CVE added: https://cve.mitre.org/cgi-
> bin/cvename.cgi?name=2017-1000136
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1363873
>
> Title:
> Session Management Issue- Session is not invalidating after password
> change
>
> Status in Mahara:
> Fix Released
> Status in Mahara 1.10 series:
> Fix Released
> Status in Mahara 1.8 series:
> Fix Released
> Status in Mahara 1.9 series:
> Fix Released
> Status in Mahara 15.04 series:
> Fix Released
>
> Bug description:
> Hi Security Team,
>
> I have discovered the session management issue on the domain
> https://mahara.org/
>
> Description of the issue-
>
> The application does not invalidate the previous session once the
> password is changed by the legitimate user.
>
> How to reproduce?-
>
> 1. Login in the application using https://mahara.org/ and login into
> the application.
> 2. Lets assume application user's account is compromised so he wants to
> change his password, he will navigate to forgot password page and will
> change his password.
> 3. Application user is able to change his password but it was observed
> that still the previous session was not invalidated and i was actually able
> to browse the application from both the sessions.
>
> Impact- If the application user's account is compromised, he will simply
> change his password but if the previous session is not invalidated there is
> no use of changing the password.
> Please let me know if you need video PoC for this.
>
> Remediation- Invalidate the previous session once the password has
> been changed and enforce the application user to relogin in the
> application.
>
> Thanks and Regards,
> Abhishek Dashora
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/mahara/+bug/1363873/+subscriptions
>