CVE-2024-56733

Name of the Vulnerable Software and Affected Versions Password Pusher versions 1.50.3 and prior

Description A vulnerability has been reported in Password Pusher where an attacker can copy the session cookie before a user logs out, potentially allowing session hijacking. Although the session token is replaced and invalidated upon logout, if an attacker manages to capture the session cookie before this process, they can use the token to gain unauthorized access to the user's session until the token expires or is manually cleared. This vulnerability hinges on the attacker's ability to access the session cookie during an active session, either through a man-in-the-middle attack, by exploiting another vulnerability like XSS, or via direct access to the victim's device.

Recommendations To mitigate the risk, always use the latest version of Password Pusher. If self-hosting, ensure Password Pusher is hosted exclusively over SSL connections to encrypt traffic and prevent session cookies from being intercepted in transit. Implement best practices in local security to safeguard user systems, browsers, and data against unauthorized access. Consider implementing additional security measures such as automatic session expiration, session reset on login and logout, and encrypted cookies to further mitigate session hijacking risks.