CVE-2026-14725
Received Received - Intake

Session Expiration in Online Boat Reservation System

Vulnerability report for CVE-2026-14725, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-05

Last updated on: 2026-07-05

Assigner: VulDB

Description

A vulnerability was identified in SourceCodester Online Boat Reservation System 1.0. Affected by this vulnerability is an unknown functionality. Such manipulation leads to session expiration. It is possible to launch the attack remotely. The exploit is publicly available and might be used.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-05
Last Modified
2026-07-05
Generated
2026-07-05
AI Q&A
2026-07-05
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
sourcecodester online_boat_reservation_system 1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The CVE-2026-14725 vulnerability involves improper session invalidation in the Online Boat Reservation System using PHP. The application fails to properly terminate authenticated sessions after a user logs out, allowing previously authenticated users to continue accessing administrative pages without being redirected to the login page.

This flaw is caused by insufficient session termination and a lack of consistent authentication validation on protected resources. An attacker with access to a previously authenticated browser session could exploit this to gain unauthorized access to sensitive administrative functions.

The root cause is the application's failure to destroy server-side sessions during logout and enforce authentication checks across protected endpoints.

Impact Analysis

This vulnerability can lead to session abuse and unauthorized access to sensitive administrative functions within the Online Boat Reservation System.

An attacker who exploits this flaw could access confidential data, especially on shared or public systems, by using a previously authenticated session without needing to log in again.

Detection Guidance

This vulnerability can be detected by verifying whether authenticated sessions are properly terminated after logout and checking if protected administrative pages require authentication.

  • Attempt to access administrative URLs such as /admin/index.php after logging out to see if access is still granted without redirection to the login page.
  • Use browser developer tools or network monitoring tools to check if session cookies are cleared or invalidated upon logout.
  • Commands to test session invalidation might include using curl or wget to simulate logout and then access protected pages, for example:
  • 1. curl -c cookies.txt -d 'login_data' https://targetsite/login.php (to login and save cookies)
  • 2. curl -b cookies.txt https://targetsite/admin/index.php (to check access to admin page)
  • 3. curl -b cookies.txt https://targetsite/logout.php (to logout)
  • 4. curl -b cookies.txt https://targetsite/admin/index.php (to verify if access is still possible after logout)
Mitigation Strategies

Immediate mitigation steps include properly destroying server-side sessions during logout and ensuring session cookies are cleared.

  • Implement consistent authentication checks on all protected resources to prevent unauthorized access.
  • Redirect unauthenticated users to the login page when they attempt to access restricted areas.
  • Regenerate session identifiers after authentication to prevent session fixation.
  • Review and update the application code to enforce proper session invalidation and authentication validation.
Compliance Impact

The vulnerability in the Online Boat Reservation System involves improper session invalidation, allowing unauthorized access to administrative functions and potential exposure of confidential data.

Such unauthorized access and exposure of sensitive information can lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive data to protect user privacy and ensure data security.

Failure to properly terminate sessions and enforce authentication checks increases the risk of data breaches, which may result in violations of these regulations and potential legal and financial consequences.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14725. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart