Xzoya

**Name of the Vulnerable Software and Affected Versions** ThinkAdmin version 4.0 **Description** The issue concerns the `applicationadmincontrollerUser.php` file in ThinkAdmin V4.0, where it fails to prevent the continued use of an administrator's cookie-based credentials after a password change. This means that even after an administrator changes their password, the old cookie-based credentials can still be used. **Recommendations** For ThinkAdmin version 4.0, as a temporary workaround, consider disabling the use of cookie-based credentials for administrators until a patch is available. Restrict access to the `applicationadmincontrollerUser.php` file to minimize the risk of exploitation. Avoid using the `User.php` controller for administrative tasks until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.