CubeCart Session Management Vulnerability After Password Change

A vulnerability exists in CubeCart versions through 6.5.10, where sessions are not automatically terminated after a user changes their password. This flaw allows an unauthorized user to retain access to the account on other devices or browsers, even after the password has been updated. The legitimate user has no means to revoke this access, leaving the account vulnerable until the session naturally expires. This issue is particularly concerning for accounts that have already been compromised, as the attacker can continue to access the account despite the password change.

Impact

The vulnerability allows an attacker to maintain access to a user's account on different devices or browsers, even after the password has been changed. This access can be exploited until the session expires, leaving the account insecure for an extended period.

Reproduction

To reproduce this vulnerability, log into a CubeCart account on one browser (Browser A) and then log in again on a different browser (Browser B) using the same account. Once logged in on both browsers, navigate to the password change option on Browser B and update the password. After the password has been changed, return to Browser A and attempt to access the account or perform actions such as updating the profile. The session will still be active, demonstrating that the password change did not invalidate the session.

Remediation

Users can update to CubeCart version 6.5.11 or later, where this vulnerability has been patched.