parisneo Lollms Insufficient Session Expiration Vulnerability

A vulnerability allowing for insufficient session expiration has been identified in the latest version of parisneo/lollms. This issue arises because the application does not invalidate active session tokens after a password reset, enabling an attacker to continue using an old session token. The vulnerability is compounded by a default session duration of 31 days, which is excessively long. As a result, an attacker can maintain access to a compromised account even after the victim has reset their password.

Impact

Exploitation of this vulnerability allows an attacker to retain access to a compromised account, bypassing the password reset.

Reproduction

To reproduce this vulnerability, log into the application in two different browsers using the same credentials. After logging in, change the password in one browser. Then, switch to the other browser and refresh the page. The session will remain active, allowing continued access with the old session cookies.