As an Ethical Hacker Bug Found in your site

[Julien Lux]

Hello,

So I received a suspicious message for one of my website (Prestashop 1.6.1.4). It sounds like an hoax but I can't find anybody with the same message on google..
What do you think about it ?

Hi,  As an Ethical Hacker
Bug Found in your site :   https://xxxxxx.com/   
Bug Type: Session Management[Session invalidation ]
Description of the issue- The server does not invalidate the previous session once the password is changed by the legitimate user. How to reproduce?- Login in to Your Account using firefox. Now login to the same  account using google chrome. Lets assume website user's account is compromised so he wants to change his password, he will navigate to forgot password page or simply password change page and will change his password in the chrome browser. Web user is able to change his password and the session from which the password changes is logged out but it was observed that still the previous session in firefox is not invalidated and i was actually able to browse the website from both the sessions. Impact- If the web user's account is compromised, he will simply change his password but if the previous session is not invalidated there is no use of changing the password. Remediation- Invalidate the previous session once the password has been changed and enforce the web user to relogin in the website. Waiting for your response......!!!!!!!!!!!!!!!!!!!!!!!!!!
Regards Ethical Hacker          

Thank you
 

Edited June 15, 2020 by Julien Lux
prestashop version added (see edit history)

[joseantgv]

You can report this issue to [email protected]

[khanhkg]

Hi Julien, were you able to find a fix for this? I also received a similar email.