{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/rails/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["katalyst-koi (\u003c 4.20.0)","katalyst-koi (\u003e= 5.0.0, \u003c 5.6.0)","Rails"],"_cs_severities":["medium"],"_cs_tags":["session-replay","vulnerability","authentication"],"_cs_type":"advisory","_cs_vendors":["RubyGems","Rails"],"content_html":"\u003cp\u003eKatalyst Koi is vulnerable to a session replay attack where admin session cookies are not invalidated when an admin user logs out. This vulnerability allows an attacker who has previously obtained a valid admin session cookie to continue accessing admin functionalities even after the legitimate admin user has logged out. The unauthorized access persists until the cookie expires or the session secrets are rotated. This issue affects applications using Koi admin authentication, where admin session cookies may have been exposed through various means, such as caching, interception, or retention. Users should upgrade to the patched Koi releases (4.20.0 or 5.6.0) to mitigate this vulnerability. The vulnerability was published May 7, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a valid admin session cookie, potentially through network sniffing, cross-site scripting (XSS), or stolen credentials.\u003c/li\u003e\n\u003cli\u003eA legitimate admin user authenticates to the Katalyst Koi application and receives a session cookie.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts or otherwise obtains a copy of this valid admin session cookie.\u003c/li\u003e\n\u003cli\u003eThe legitimate admin user logs out of the Katalyst Koi application.\u003c/li\u003e\n\u003cli\u003eThe Katalyst Koi application fails to invalidate the existing admin session cookie upon logout.\u003c/li\u003e\n\u003cli\u003eThe attacker replays the stolen admin session cookie in subsequent requests to the Katalyst Koi application.\u003c/li\u003e\n\u003cli\u003eThe Katalyst Koi application incorrectly authenticates the attacker, granting them continued access to admin functionalities.\u003c/li\u003e\n\u003cli\u003eThe attacker performs unauthorized actions within the application, such as modifying data, changing configurations, or accessing sensitive information until the cookie expires.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to maintain persistent, unauthorized access to administrative functions within the Katalyst Koi application. The impact can include data breaches, unauthorized modifications to the application configuration, and potential compromise of sensitive user data. The vulnerability impacts all applications using Koi admin authentication where an admin session cookie may have been exposed, cached, intercepted, or otherwise retained after logout.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Katalyst Koi version 4.20.0 or 5.6.0, or backport the fix to invalidate session cookies after logout, as recommended in the advisory.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) to reduce the risk of session cookie theft.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect unauthorized access using replayed session cookies.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to session management (e.g., unusual cookie usage) to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview and update session management policies to ensure session cookies are properly invalidated upon logout.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-katalyst-koi-session-replay/","summary":"Katalyst Koi versions before 4.20.0 and between 5.0.0 and 5.6.0 fail to invalidate admin session cookies upon logout, allowing attackers with a valid cookie to maintain unauthorized access.","title":"Katalyst Koi Session Cookies Replayable After Logout","url":"https://feed.craftedsignal.io/briefs/2024-01-03-katalyst-koi-session-replay/"}],"language":"en","title":"CraftedSignal Threat Feed — Rails","version":"https://jsonfeed.org/version/1.1"}