PHPGurukul Small CRM Session Hijacking Vulnerability

A session hijacking vulnerability has been identified in PHPGurukul Small CRM version 3.0, specifically within the change password component of the user panel. The issue arises from improper session invalidation, allowing attackers to exploit the vulnerability remotely by manipulating session data.

Impact

Exploitation of this vulnerability allows for session hijacking, where an attacker can gain unauthorized access to a user's account and maintain that access even after the user has changed their password. This could lead to unauthorized actions being performed on behalf of the user, access to sensitive data, or misuse of privileges.

Reproduction

To reproduce this vulnerability, navigate to the change password component in the user panel. Observe the session handling process, then inject a known session ID by setting a predictable or captured session token in the browser before the victim logs in. Once the victim authenticates with the injected session ID, the attacker can access the victim's account and change the password.