CI4MS Improper Session Invalidation Vulnerability Allowing Persistent Unauthorized Access

A logic flaw in CI4MS, a CodeIgniter 4-based CMS, allows deleted user accounts to retain active sessions, leading to persistent unauthorized access. This issue affects versions through 0.28.6.0. The vulnerability arises because the application only enforces account state changes during login, not for established sessions. As a result, deleted accounts can access all functionalities, including administrative interfaces, until the user manually logs out. This behavior violates the intended access control policy and has been addressed in version 0.31.0.0.

Impact

The vulnerability allows deleted users to maintain full access to the application indefinitely, bypassing administrative controls and disrupting normal operations. This persistent access increases the risk of unauthorized data modifications, privilege abuse, and service disruptions.

Reproduction

To reproduce this vulnerability, log into the application with a user account. Then, from an administrative account, delete the user account that is currently logged in. The deleted user will remain authenticated and can continue to access all functionalities and protected interfaces, including administrative user management, until they manually log out.

Remediation

To address this vulnerability, CI4MS has released a patch in version 0.31.0.0. Users should update to this version to ensure that active sessions are invalidated immediately upon account deletion.