CRITICAL🇵🇱 Wersja polska

CVE-2024-29401

CVSS 9.8v3.1pub. 2024-03-26upd. 2025-09-19

xzs-mysql 3.8 is vulnerable to Insufficient Session Expiration, which allows attackers to use the session of a deleted admin to do anything.

🤖 AI Analysis
How it works

The application does not invalidate tokens or session identifiers when an administrator account is deleted. An attacker who previously obtained a session identifier from the deleted account (e.g., through interception, leak, or other methods) can still use that session to perform any operations in the system. The system does not verify with each request whether the account associated with the session still exists and is active.

Impact

The attacker gains full administrative access to the application — can read, modify, and delete data, and perform any operations reserved for administrators. The confidentiality, integrity, and availability of the system are compromised.

Mitigation & patch

Apply patches available from the vendor according to the references. As an interim workaround, it is recommended to enforce invalidation of all active sessions when deleting a user account and implement a mechanism to verify the existence and status of an account with each authenticated session request.

Who is affected

Mindskip xzs-mysql version 3.8

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mindskip Xzs MySQL

    APP
    Mindskip
    3.8
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2021-46086HIGH7.5ten sam produkt

xzs-mysql >= t3.4.0 is vulnerable to Insecure Permissions. The front end of this open source system is an onli...

CVE-2025-1084MEDIUM5.3ten sam produkt

A vulnerability, which was classified as problematic, has been found in Mindskip xzs-mysql 学之思开源考试系统 3.9.0. Af...

CVE-2025-1082MEDIUM5.1ten sam produkt

A vulnerability classified as problematic has been found in Mindskip xzs-mysql 学之思开源考试系统 3.9.0. Affected is an...

CVE-2025-1083LOW2.3ten sam produkt

A vulnerability classified as problematic was found in Mindskip xzs-mysql 学之思开源考试系统 3.9.0. Affected by this vu...

CVE-2022-41431MEDIUM5.4ten sam vendor

xzs v3.8.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /admin/questi...