Bank Locker Management System
CVE-2025-50491
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Network-reachable but AC:H because the attacker must first obtain a valid session token; UI:R for the password-change action; impact is mainly confidentiality (C:H) with limited integrity and no availability effect.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Improper session invalidation in the component /banker/change-password.php of PHPGurukul Bank Locker Management System v1 allows attackers to execute a session hijacking attack.
AnalysisAI
Session hijacking in PHPGurukul Bank Locker Management System v1.0 lets remote attackers reuse valid session tokens because the /banker/change-password.php component fails to invalidate existing sessions after a password change. Any session token captured before the change (via a shared machine, network capture, or referrer/log leakage) remains usable, letting an attacker impersonate the banker account. A GitHub reference (VasilVK/CVE) is published for this issue, and EPSS risk is low at 0.34% (27th percentile) with no active exploitation reported.
Technical ContextAI
PHPGurukul Bank Locker Management System is a small PHP/MySQL web application distributed as free source for banks/branches to track locker allocations; the affected code path is the banker-side password change handler /banker/change-password.php. The root cause is CWE-613 (Insufficient Session Expiration): the application does not invalidate or rotate the server-side session identifier when a credential-changing event (password change) occurs. In a correctly built PHP app the change-password flow should call session_regenerate_id(true) and destroy all other active sessions for that user; here the old PHPSESSID stays authenticated, so a previously issued token continues to grant access even after credentials are altered. The single affected build is identified by CPE cpe:2.3:a:phpgurukul:bank_locker_management_system:1.0.
RemediationAI
No vendor-released patch identified at time of analysis for PHPGurukul Bank Locker Management System v1.0, and no fixed version is published in the available data. As specific compensating controls: modify /banker/change-password.php to call session_regenerate_id(true) immediately after a successful password update and explicitly destroy all other server-side sessions for that account (trade-off: forces re-login on other devices, which is desired here); shorten PHP session.gc_maxlifetime and set session.cookie_lifetime so idle tokens expire quickly (trade-off: more frequent re-authentication); enforce HTTPS with Secure, HttpOnly and SameSite cookie flags to reduce token capture; and restrict access to the /banker/ interface via IP allow-listing or a VPN so stolen tokens are only replayable from trusted networks. Consult the third-party writeup at https://github.com/VasilVK/CVE/tree/main/CVE-2025-50491 for reproduction detail, and verify any fix directly with PHPGurukul before assuming resolution.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today