Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
HCL Aftermarket DPC is affected by Failure to Invalidate Session on Password Change will allow attacker to access to a session, then they can maintain control over the account despite the password change leading to account takeover.
AnalysisAI
Session invalidation failure in HCL Aftermarket DPC versions up to 1.0.0 allows authenticated attackers to maintain active sessions after a password change, enabling persistent account takeover. An attacker who gains initial session access can continue to operate under a compromised account identity even after the victim resets their password, as the application fails to terminate pre-existing sessions upon credential modification. No public exploit code or active exploitation has been identified at time of analysis.
Technical ContextAI
The vulnerability stems from a session management implementation flaw classified under CWE-613 (Insufficient Session Expiration), where HCL Aftermarket DPC does not properly invalidate active HTTP sessions when a user changes their password. The affected product is identified via CPE cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*. Session tokens or cookies remain valid post-password-change because the application lacks server-side session lifecycle management tied to authentication credential events. This allows a threat actor with an existing authenticated session (established through credential compromise, phishing, or other means) to bypass the user's defensive action of password reset, maintaining unauthorized access to the account and its associated resources.
RemediationAI
Apply the security patch from HCL as described in their official advisory (https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793). The patch should address session invalidation logic to ensure all active sessions are terminated when a password change event occurs. Until patching is possible, mitigate by enforcing periodic session timeout policies (e.g., 30-60 minute inactivity windows) at the application level, implementing IP-based session pinning where feasible to detect session hijacking, and monitoring account activity logs for unexpected concurrent sessions. Additionally, require users to log out from all devices after a password change and implement multi-factor authentication (MFA) to add a second factor of control beyond session tokens.
More in Session Fixation
View allSession fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID pa
Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session
Tiny File Manager v2.4.7 and below is vulnerable to session fixation. Rated critical severity (CVSS 9.8), this vulnerabi
A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /login
Franklin Fueling Systems System Sentinel AnyWare (SSA) version 1.6.24.492 is vulnerable to Session Fixation. Rated criti
An issue in China Mobile Communications China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to exe
A privilege escalation issue was found in PHP Gurukul Hospital Management System In v.4.0 allows a remote attacker to ex
Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7. Rated critical severity (CVSS 9.8), this vulnerab
Certain NetModule devices allow Limited Session Fixation via PHPSESSID. Rated critical severity (CVSS 9.8), this vulnera
An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Rated critical severity (CVSS 9.8), this v
clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests be
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." s
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209085
GHSA-m87p-2jxv-5xfp