Listmonk Session Management Vulnerability Allowing Session Persistence After Password Changes

A session management vulnerability exists in Listmonk versions 4.1.0 prior to 6.1.0, allowing authenticated sessions to remain valid after critical account security changes, such as password resets and changes. This issue enables an attacker with a valid session cookie to maintain access to the account, undermining the effectiveness of password recovery and session security. The vulnerability has been addressed in version 6.1.0.

Impact

The vulnerability allows an attacker to retain access to a user's account after the user has changed or reset their password, including accounts with two-factor authentication enabled.

Reproduction

The vulnerability can be reproduced in two scenarios: 1) After resetting a password, the old session cookie remains valid, allowing access to authenticated endpoints. 2) When changing a password through the profile update endpoint, previously issued session cookies remain valid and can be used to access authenticated endpoints.

Remediation

Users can upgrade to Listmonk version 6.1.0 to address this vulnerability.