CVE-2021-25985 Information
Jun 07, 2022
cve
Description
In Factor (App Framework & Headless CMS) v1.0.4 to v1.8.30 improperly invalidate a user’s session even after the user logs out of the application. In addition user sessions are stored in the browser’s local storage which by default does not have an expiration time. This makes it possible for an attacker to steal and reuse the cookies using techniques such as XSS attacks followed by a local account takeover.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Reference
https://github.com/FactorJS/factor/blob/v1.8.30/@factor/user/util.ts#L65 https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25985
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
HIGH
Base Severity
9.8
Share on: