Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-25985

In Factor (App Framework & Headless CMS) v1.0.4 to v1.8.30, improperly invalidate a user’s session even after the user logs out of the application. In addition, user sessions are stored in the browser’s local storage, which by default does not have an expiration time. This makes it possible for an attacker to steal and reuse the cookies using techniques such as XSS attacks, followed by a local account takeover.

Published

2021-11-16T10:15:07.167

Last Modified

2024-11-21T05:55:44.120

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.8 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

6.4

Weaknesses

Type: Secondary
CWE-613
Type: Primary
CWE-613

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	darwin	factor	≤ 1.8.30	Yes

References

https://github.com/FactorJS/factor/blob/v1.8.30/%40factor/user/util.ts#L65 ([email protected])
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25985 Third Party Advisory ([email protected])
https://github.com/FactorJS/factor/blob/v1.8.30/%40factor/user/util.ts#L65 (af854a3a-2127-422b-91ae-364da2661108)
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25985 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)