We received the following information about a potential security issue.
Is it real and if so, known in cs-cart ?
Steps to Reproduce: 1- Open Browser A and log in to YOURSITEWEB using a valid account. 2- Keep the session active in Browser A. 3- Open Browser B (or an incognito window). 4- Navigate to: YOURSITEWEB /index.php?dispatch=auth.recover_password 5- Successfully reset the account password. 6- Return to Browser A and refresh any authenticated page. 7- Observe that the user is still logged in despite the password change. Impact: This vulnerability can be exploited to: Maintain unauthorized access after a password reset Allow attackers with an existing session to retain control of an account Defeat the purpose of password resets during account recovery Increase the impact of stolen or hijacked sessions Enable prolonged account compromise This significantly weakens account security, especially in cases of credential theft or session hijacking.
Curious. I don’t think that’s necessarily a vulnerability. I have seen big sites that work like that. Usually what other sites like Microsoft do, after changing the password they would ask you to log out all devices (all remembered browsers) and this kills any current session. Now for a user to maintain a session and lock you out, they would first have to know your login in the first place.
Needless to say, the inability for Cs-cart to send verification email for new users is a huge problem and a cause of spam and bot users.