CVE-2024-31556: Reportico Web fails to invalidate cookies upon logout

May 14, 2024

An issue in Reportico Web before v.8.1.0. This vulnerability arises from the failure of the web application to properly invalidate session cookies upon logout. When a user logs out of the application, the session cookie should be invalidated to prevent unauthorized access. However, due to the oversight in the application’s implementation, the session cookie remains active even after logout. Consequently, if an attacker obtains the session cookie, they can exploit it to access the user’s session and perform unauthorized actions.

References

github.com/advisories/GHSA-2q2f-h83x-cx3x
github.com/reportico-web/reportico
github.com/reportico-web/reportico/issues/53
nvd.nist.gov/vuln/detail/CVE-2024-31556

Detect and mitigate CVE-2024-31556 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →