Session cookies not immediately invalidated after logout
|Security Advisory Date||December 7, 2021|
|Vulnerability Type||Authentication failure|
|Versions affected||FileCloud Versions 21.2 and earlier|
|Version fixed||FileCloud Version 220.127.116.1113|
When a user logs out of a FileCloud browser session, the server session continues to be valid. An actor who has access to the local browser could possibly steal the session cookies to access the system.
This has been fixed in FileCloud version 18.104.22.16813.
What you should do
- If you are using FileCloud on-premises, it is recommended that you apply the 22.214.171.12413 patch. This will resolve the issue.
- If you are using FileCloud online, the patch has already been applied to your installation of FileCloud.
If you have any questions about this advisory, please contact FileCloud support.