Executive Summary

This vulnerability is an Insufficient Session Expiration issue in the Summer Pearl Group Vacation Rental Management Platform versions up to 1.0.1. When a user changes their password, the platform does not invalidate existing active sessions. This means that an attacker who has a valid session token can continue to access the user's account even after the password has been changed, leading to unauthorized access. [1]

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows an attacker with a valid session token to maintain access to a user's account even after the user changes their password. This can lead to unauthorized account access, potential data compromise, and loss of control over the affected account. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by verifying whether active user sessions remain valid after a password change. Specifically, you can test by logging in with a user account, capturing the session token, changing the password for that account, and then attempting to use the old session token to access the account. If access is still granted, the vulnerability exists. There are no specific commands provided in the resources, but this manual test involves session token inspection and validation after password changes. [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the Summer Pearl Group Vacation Rental Management Platform to version 1.0.2 or later, where the issue of insufficient session expiration after password changes has been fixed. Until the upgrade is applied, consider enforcing manual session invalidation policies or monitoring for suspicious session reuse after password changes. [1]

Useful 0 Not Useful 0