Fides Password Reset Vulnerability Allowing Session Persistence

A vulnerability exists in Fides, an open-source privacy engineering platform, prior to version 2.69.1, where password changes made through the admin UI do not invalidate active user sessions. This flaw creates an opportunity for attackers who have acquired session tokens via other vulnerabilities, such as Cross-Site Scripting (XSS), to retain access even after a password has been reset. The issue is not directly exploitable on its own and requires a prior vulnerability to obtain valid session tokens.

Impact

This vulnerability allows for the persistence of session tokens after a password reset, undermining the effectiveness of the password change as a security measure. It can extend the duration of unauthorized access in cases where tokens are stolen, such as through XSS attacks.

Reproduction

To reproduce this vulnerability, first obtain a valid session token through a method such as Cross-Site Scripting (XSS) that accesses browser storage. Then, change the user's password via the admin UI. After the password change, use the stolen session token to access the user's account, which should still be valid despite the password reset.

Remediation

Users are advised to upgrade to Fides version 2.69.1 or later, which addresses this vulnerability by ensuring that all user sessions are terminated when a password is changed.