xzs-mysql 3.8 is vulnerable to Insufficient Session Expiration, which allows attackers to use the session of a deleted admin to do anything.
The application does not invalidate tokens or session identifiers when an administrator account is deleted. An attacker who previously obtained a session identifier from the deleted account (e.g., through interception, leak, or other methods) can still use that session to perform any operations in the system. The system does not verify with each request whether the account associated with the session still exists and is active.
The attacker gains full administrative access to the application — can read, modify, and delete data, and perform any operations reserved for administrators. The confidentiality, integrity, and availability of the system are compromised.
Apply patches available from the vendor according to the references. As an interim workaround, it is recommended to enforce invalidation of all active sessions when deleting a user account and implement a mechanism to verify the existence and status of an account with each authenticated session request.
Mindskip xzs-mysql version 3.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMindskip Xzs MySQL
APPMindskip3.8
Related vulnerabilities
xzs-mysql >= t3.4.0 is vulnerable to Insecure Permissions. The front end of this open source system is an onli...
A vulnerability, which was classified as problematic, has been found in Mindskip xzs-mysql 学之思开源考试系统 3.9.0. Af...
A vulnerability classified as problematic has been found in Mindskip xzs-mysql 学之思开源考试系统 3.9.0. Affected is an...
A vulnerability classified as problematic was found in Mindskip xzs-mysql 学之思开源考试系统 3.9.0. Affected by this vu...
xzs v3.8.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /admin/questi...