CVE-2021-25985 HIGH

CVE-2021-25985: FactorJS - Insufficient Session Expiration Leads to a Local Account Takeover

Vendor Factorjs
Product Factor
Weakness CWE-613 · Insufficient session expiration
Published November 16, 2021
Last update April 30, 2025

CVSS base score

7.8/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

In Factor (App Framework & Headless CMS) v1.0.4 to v1.8.30, improperly invalidate a user’s session even after the user logs out of the application. In addition, user sessions are stored in the browser’s local storage, which by default does not have an expiration time. This makes it possible for an attacker to steal and reuse the cookies using techniques such as XSS attacks, followed by a local account takeover.

Key dates

02Disclosure timeline

November 16, 2021 CVE published
April 30, 2025 Record updated