Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
PILOS is missing session regeneration after password change
Vulnerability Description
PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. Prior to 4.8.0, users with a local account can change their password while logged in. When doing so, all other active sessions are terminated, except for the currently active one. However, the current session’s token remains valid and is not refreshed. If an attacker has previously obtained this session token through another vulnerability, changing the password will not invalidate their access. As a result, the attacker can continue to act as the user even after the password has been changed. This vulnerability is fixed in 4.8.0.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Vulnerability Type
不充分的会话过期机制
Vulnerability Title
PILOS 代码问题漏洞
Vulnerability Description
PILOS是THM开源的一个前端软件。 PILOS 4.8.0之前版本存在代码问题漏洞,该漏洞源于密码更改后当前会话令牌未失效,可能导致攻击者继续使用已获取的会话令牌维持访问权限。
CVSS Information
N/A
Vulnerability Type
N/A