Mishandled Logout Function

Affecting generator-jhipster package, versions >=0.3.1 <0.14.0

Do your applications use this vulnerable package? Test your applications

Overview

generator-jhipster is a Spring Boot + Angular in one handy generator. Affected versions of the package are vulnerable due to the mishandling if the logout function in IE8. When an admin logs out, the session is not properly cleared and any user logging in afterward will have admin permissions. A malicious user could use this to their advantage.

Note: This only occurs on IE8.

Remediation

Upgrade generator-jhipster to version 0.14.0 or higher.

References

CVSS Score

4.6
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Credit
jstradej
CWE
CWE-284
Snyk ID
npm:generator-jhipster:20140428
Disclosed
27 Apr, 2014
Published
28 Mar, 2017