CVE-2021-25985

Name of the Vulnerable Software and Affected Versions Factor (App Framework & Headless CMS) versions 1.0.4 through 1.8.30

Description The issue arises from improper session invalidation after a user logs out, combined with the storage of user sessions in the browser's local storage, which lacks an expiration time by default. This allows an attacker to potentially steal and reuse cookies through techniques like XSS attacks, leading to local account takeover.

Recommendations For versions 1.0.4 through 1.8.30, consider implementing proper session invalidation upon user logout and setting an expiration time for sessions stored in local storage to mitigate the risk of session reuse. As a temporary workaround, restrict access to sensitive areas of the application that rely on session-based authentication until a more permanent fix can be applied.