Changing a user's password via CLI does not revoke sessions & access tokens

Summary

When an admin resets an account's password via bin/tootctl accounts modify --reset-password the sessions and access tokens are not revoked, allowing a compromised account to continue being used.

Impact

Administrators may reset a user's password as a result of an account compromise, expecting the password reset to lock attackers out, only for compromised sessions and tokens to still be usable.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Changing a user's password via CLI does not revoke sessions & access tokens

Package

Affected versions

Patched versions

Description

Summary

Impact

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

CVE ID

Weaknesses

Insufficient Session Expiration

Credits