Bludit CMS User Management Vulnerability Allowing Unauthorized Access via Persistent Authentication Tokens

A vulnerability exists in Bludit CMS versions prior to 3.22.0, allowing deactivated user accounts to retain access through persistent authentication tokens. When an administrator disables a user, the application does not invalidate the associated tokenAuth and tokenRemember fields in the JSON database. As a result, users with a pre-existing 'Remember Me' cookie can bypass the deactivation and maintain an authenticated state. This issue has been patched in version 3.22.0.

Impact

Exploitation of this vulnerability allows disabled users to bypass deactivation and retain unauthorized access to the application, as the 'Remember Me' functionality continues to recognize them as authorized.

Reproduction

To reproduce this vulnerability, first create two new user accounts with the roles 'Admin' and 'Author'. After logging in as the 'Admin' user, disable both accounts through the user management interface. Despite the accounts being disabled, the 'Author' user can still log in and perform actions, such as publishing posts, using the 'Remember Me' functionality that was not invalidated upon deactivation.

Remediation

Users can update to Bludit version 3.22.0, which addresses this vulnerability by invalidating the authentication tokens for disabled accounts.