CVE-2019-11018

Name of the Vulnerable Software and Affected Versions ThinkAdmin version 4.0

Description The issue concerns the applicationadmincontrollerUser.php file in ThinkAdmin V4.0, where it fails to prevent the continued use of an administrator's cookie-based credentials after a password change. This means that even after an administrator changes their password, the old cookie-based credentials can still be used.

Recommendations For ThinkAdmin version 4.0, as a temporary workaround, consider disabling the use of cookie-based credentials for administrators until a patch is available. Restrict access to the applicationadmincontrollerUser.php file to minimize the risk of exploitation. Avoid using the User.php controller for administrative tasks until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.