We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Old authentication token can be used after admin delete the user through REST API. This is CWE-613: insufficient session expiration vulnerability. PoC
Although the admin deletes the user through REST APIs, the user's authentication token needs to be invalidated together.
Add invalidate authorization like bearerTokenMgr.delete(authorization); of the deleted user at positions:
bearerTokenMgr.delete(authorization);
cskefu/contact-center/app/src/main/java/com/cskefu/cc/controller/api/ApiUserController.java
Line 340 in e0992e1
Line 340 in 250e1d5
v7.x, v8.x
The text was updated successfully, but these errors were encountered:
No branches or pull requests
现在行为
Old authentication token can be used after admin delete the user through REST API. This is CWE-613: insufficient session expiration vulnerability.
PoC
预期行为
Although the admin deletes the user through REST APIs, the user's authentication token needs to be invalidated together.
操作系统
解决方案
Add invalidate authorization like
bearerTokenMgr.delete(authorization);
of the deleted user at positions:cskefu/contact-center/app/src/main/java/com/cskefu/cc/controller/api/ApiUserController.java
Line 340 in e0992e1
cskefu/contact-center/app/src/main/java/com/cskefu/cc/controller/api/ApiUserController.java
Line 340 in 250e1d5
代码版本
v7.x, v8.x
The text was updated successfully, but these errors were encountered: