CI4MS Improper Session Invalidation Vulnerability Allowing Persistent Unauthorized Access

A logic flaw in CI4MS, a CodeIgniter 4-based CMS skeleton, allows deactivated user accounts to retain active sessions indefinitely. Prior to version 0.31.0.0, the application did not immediately revoke sessions when an account was deactivated, instead enforcing account state changes only during login. This flaw breaks the access control policy, allowing users to continue accessing all functionalities, including administrative interfaces, as if their accounts were still active. The vulnerability arises from the assumption that authenticated users remain trustworthy for the duration of their sessions, without any mechanism for session or account expiration.

Impact

Exploitation of this vulnerability allows deactivated users to maintain full access to the application, including privileged actions, until they manually log out. This behavior bypasses administrative controls and can lead to unauthorized modifications, disruption of services, and a false sense of security for administrators.

Reproduction

To reproduce this vulnerability, log into the application with a user account. Then, from an administrative account, deactivate the user account that is currently logged in. The deactivated user will remain authenticated and can continue to access protected functionalities and invoke actions as before, only losing access after manually logging out.

Remediation

Users are advised to update to version 0.31.0.0, where this vulnerability has been patched. After updating, it is recommended to back up the database and run 'composer update' before upgrading.