CVE-2021-37333
📋 TL;DR
Laravel Booking System Booking Core 2.0 has a session management vulnerability where changing a user's password doesn't invalidate existing sessions in other browsers. This allows attackers who obtain a session token to maintain access even after password changes. All users of Booking Core 2.0 are affected.
💻 Affected Systems
- Laravel Booking System Booking Core
📦 What is this software?
Booking Core by Bookingcore
⚠️ Risk & Real-World Impact
Worst Case
Attackers maintain persistent access to user accounts even after password changes, enabling complete account takeover, data theft, and unauthorized booking modifications.
Likely Case
Session hijacking leads to unauthorized access to user accounts, allowing attackers to view personal information, modify bookings, or make fraudulent transactions.
If Mitigated
With proper session invalidation, attackers lose access immediately after password changes, limiting exposure to the time between session theft and password change.
🎯 Exploit Status
Exploitation requires session token theft through XSS, MITM, or other means, but once obtained, the attack is trivial.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
1. Modify the password change function to invalidate all existing sessions. 2. Implement proper session management that destroys all sessions for a user when password changes. 3. Update to a patched version if available.
🔧 Temporary Workarounds
Manual Session Invalidation
allModify the password change logic to destroy all existing sessions for the user
Modify Laravel controller to add: Auth::logoutOtherDevices($password); or implement custom session destruction
🧯 If You Can't Patch
- Implement forced logout on all devices after password changes
- Add multi-factor authentication to reduce impact of session theft
🔍 How to Verify
Check if Vulnerable:
1. Log into account in Browser A. 2. Change password in Browser B. 3. Check if Browser A session remains active. 4. If active, system is vulnerable.Check Version:
Check composer.json or application configuration for 'booking-core' versionVerify Fix Applied:
Repeat the test above - after password change, all other sessions should be automatically terminated.📡 Detection & Monitoring
Log Indicators:
- Multiple simultaneous sessions from different IPs/user-agents for same account
- Password change events followed by continued session activity from old sessions
Network Indicators:
- Session tokens being reused after password changes
- Unauthorized API calls using old session tokens
SIEM Query:
source="application.log" (event="password_change" OR event="password_reset") AND user_id=* | join user_id [search source="application.log" event="session_activity" user_id=*] | where _time > relative_time(_time, "-5m")