Morelitea Initiative Improper Session Invalidation Vulnerability Allowing Continued JWT Token Use

A vulnerability exists in the Morelitea Initiative project management platform in versions prior to 0.32.4, where the application fails to invalidate JSON Web Tokens (JWT) after a user changes their password. This oversight allows older tokens to remain valid until they expire, enabling continued access to protected API endpoints. The issue arises because there is no mechanism to revoke or invalidate tokens after a password change, leaving accounts vulnerable to unauthorized access.

Impact

Exploitation of this vulnerability allows for persistent session hijacking, continued unauthorized access to user accounts, and the inability for users to effectively revoke compromised sessions. This behavior violates common security expectations and best practices, increasing the risk of prolonged account compromise.

Reproduction

To reproduce this vulnerability, authenticate a user and obtain a JWT. After obtaining the token, change the account password. Then, log out and log back in to receive a new JWT. Despite the password change, the old JWT remains valid and can be used to access protected API endpoints, such as user or guild data.

Remediation

Users can update to Morelitea Initiative version 0.32.4 or later, where this vulnerability is addressed. Instructions for downloading the latest version are available on the Morelitea Initiative GitHub release page.