CVE-2024-29401 – xzs-mysql 3.8 has insufficient session expirati... (How to Fix)

Q: What is the severity of CVE-2024-29401?

CVE-2024-29401 has a CVSS score of 9.8 (CRITICAL). xzs-mysql 3.8 has insufficient session expiration that allows attackers to reuse deleted admin sessions for unauthorized actions. This affects all deployments using the vulnerable version, potentially compromising administrative functions.

📋 TL;DR

xzs-mysql 3.8 has insufficient session expiration that allows attackers to reuse deleted admin sessions for unauthorized actions. This affects all deployments using the vulnerable version, potentially compromising administrative functions.

💻 Affected Systems

Products:

xzs-mysql

Versions: 3.8

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments with admin accounts that have been deleted while sessions remain active.

📦 What is this software?

Xzs Mysql by Mindskip

View all CVEs affecting Xzs Mysql →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through admin session hijacking, allowing data theft, configuration changes, or service disruption.

🟠

Likely Case

Unauthorized administrative access leading to data exposure, privilege escalation, or system manipulation.

🟢

If Mitigated

Limited impact with proper session management and access controls in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires obtaining a valid admin session token after admin deletion.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Session Invalidation on Admin Deletion

all

Modify application logic to invalidate all sessions when an admin account is deleted.

Implement session cleanup in admin deletion function

Session Timeout Reduction

all

Reduce session timeout duration to minimize window of opportunity.

Configure session.gc_maxlifetime in PHP or equivalent in other languages

🧯 If You Can't Patch

Implement strict access controls and monitor admin session activity
Regularly audit and rotate admin credentials

🔍 How to Verify

Check if Vulnerable:

Test by deleting an admin account while maintaining an active session, then attempt administrative actions.

Check Version:

Check application version in configuration or about page

Verify Fix Applied:

Verify that sessions are invalidated immediately upon admin account deletion.

📡 Detection & Monitoring

Log Indicators:

Admin actions from deleted accounts
Session reuse after account deletion

Network Indicators:

Unusual admin session patterns
Requests with old session tokens

SIEM Query:

session_token AND admin_action AND account_status=deleted

📊 Metadata

CVE ID: CVE-2024-29401

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-613

Published: March 26, 2024

Last Updated: September 19, 2025

🔗 References

https://github.com/menghaining/PoC/blob/main/xzs-mysql/xzs-mysql%20--%20PoC.md Exploit,Third Party Advisory
https://github.com/menghaining/PoC/blob/main/xzs-mysql/xzs-mysql%20--%20PoC.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-29401, you might also want to check these: