CVE-2019-5638

Name of the Vulnerable Software and Affected Versions Rapid7 Nexpose versions 6.5.50 and prior

Description The issue arises from insufficient session expiration when an administrator performs a security-relevant edit on an existing, logged-on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user account's current session remains valid after the password change. This potentially allows the attacker who originally compromised the credential to remain logged in and cause further damage.

Recommendations For versions 6.5.50 and prior, consider implementing a mechanism to expire user sessions after a security-relevant edit, such as a password change, to prevent potential further damage from compromised credentials. As a temporary workaround, consider manually logging off users after their credentials have been changed due to a security incident.