We have an OJS instance running at https://library.wur.nl/ojs
We received the following e-mail. We would like to know if this is a known security issue and if it will be fixed. (I couldn’t find info about it)
Kind regards,
Paulien
Respected Sir,
I am a security researcher from India.
## Summary:
While conducting my research I discovered that the application Failure to invalidate session after changing the password doesn’t destroy the other sessions which are logged in with old passwords.
*## Vulnerable URL: https://library.wur.nl/ojs/index.php/frontis/login *
## Steps To Reproduce:
1) Open the same accounts in two different browsers
2) Change the password in one browser and you will see that another browser still validates the session after the password change (even after refreshing the page ).
## Impact
If the user login his account at some different person’s computer and forgot to log out. The person in which the system user has a login can access his/her account because the old session of the user at that person’s system is not going to expire if a user might change his password.