CVE-2024-35049
📋 TL;DR
SurveyKing v1.3.1 fails to properly invalidate user sessions after logout, allowing attackers to reuse active sessions. This affects all users of vulnerable SurveyKing instances, potentially enabling unauthorized access to user accounts and survey data.
💻 Affected Systems
- SurveyKing
📦 What is this software?
Surveyking by Surveyking
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain persistent access to administrative accounts, allowing complete system compromise, data theft, and manipulation of all surveys and user data.
Likely Case
Unauthorized users access other users' accounts to view or modify survey responses, potentially exposing sensitive information collected through surveys.
If Mitigated
With proper session management controls and monitoring, impact is limited to temporary unauthorized access that can be quickly detected and remediated.
🎯 Exploit Status
Exploitation requires obtaining valid session tokens, which could be done through various means including session hijacking or token capture.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check GitHub repository for latest version
Vendor Advisory: https://github.com/javahuang/SurveyKing/issues/55
Restart Required: Yes
Instructions:
1. Check the SurveyKing GitHub repository for the latest version. 2. Update to the patched version. 3. Restart the SurveyKing application. 4. Force all users to log out and log back in to invalidate existing sessions.
🔧 Temporary Workarounds
Session Timeout Reduction
allReduce session timeout values to minimize window for session reuse
Modify session configuration in application settings to reduce timeout (e.g., session.timeout=15)
Force Session Invalidation
allImplement custom logout handler to properly invalidate sessions
Implement server-side session destruction on logout endpoint
🧯 If You Can't Patch
- Implement web application firewall rules to detect and block suspicious session reuse patterns
- Enable detailed session logging and monitor for unusual session activity across multiple IP addresses
🔍 How to Verify
Check if Vulnerable:
Test logout functionality: 1. Log into SurveyKing. 2. Log out. 3. Attempt to access protected resources using the same session token. If access is granted, system is vulnerable.Check Version:
Check SurveyKing version in application interface or configuration filesVerify Fix Applied:
Repeat the vulnerable test after patching. Successful logout should completely invalidate the session, preventing any further access with the same token.📡 Detection & Monitoring
Log Indicators:
- Multiple successful authentications from same session ID after logout events
- Session IDs being used from different IP addresses
- Unusual session duration exceeding configured timeout
Network Indicators:
- HTTP requests with valid session tokens after logout requests
- Session cookies being reused across different user agents
SIEM Query:
source="surveyking" AND (event="logout" OR event="session_invalidate") | stats count by session_id | where count > 1