From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Affected Versions: - Apereo CAS: 6.6.x - apereo/cas: Apereo CAS - Identity & Single Sign On for all earthlings and beyond 2. Vulnerability Information: - Vulnerability Type: Session Token Does Not Expire After Logout - Status: Unpatched 3. Vulnerable Endpoint: - Path: 4. Vulnerability Description: - The authentication system of the web application contains a security flaw that allows session tokens to remain valid after a user logs out. This means that even after the session is terminated and the user exits the system, the authentication token associated with the user can still be used to access protected resources. 5. PoC (Proof of Concept): - During the login process, various requests are executed using the session cookie to list account data. It was observed that even after the user logs out, the session cookie does not expire correctly, allowing account data access requests to still be executed. 6. Impact: - Session Hijacking: Attackers can exploit valid session tokens to access accounts and impersonate users. - Unauthorized Access: Persistent session tokens allow attackers to access restricted areas without requiring re-authentication. 世Data Exposure: Sensitive data may be exposed to unauthorized users who can continue accessing the session after logout. - Compliance Issues: Regulations typically require sessions to terminate immediately upon logout; failure to do so may result in compliance violations. - Reputation Damage: Users may lose trust in the application’s security, perceiving the logout process as ineffective. 7. Mitigation Recommendations: - Session Invalidations: Ensure session tokens are immediately invalidated on the server side upon user logout, rendering them unusable for future requests. - Token Expiration and Rotation: Use short-lived session tokens and rotate them regularly to limit the risk of token reuse. - Secondary Logout Verification: Implement secondary verification mechanisms (e.g., token blacklisting) to ensure tokens cannot be reused after logout. - Automatic Session Timeout: Implement automatic session expiration after a period of inactivity to limit the lifetime of any active session. - Regular Security Audits and Testing: Conduct regular security assessments to ensure session tokens are securely managed and properly expired across all user scenarios. This information provides a detailed description of the vulnerability’s nature, impact, and mitigation strategies, aiding in understanding and resolving the security issue.