Active user sessions in the Open eClass platform are not cleared when a password change occurs, which means a session token that was issued before the password was changed can still be used, allowing an attacker to maintain access to an account without needing the new credentials. This flaw enables the persistence of a compromised session and therefore can lead to unauthorized disclosure, tampering, or destruction of a user’s data, classified as a session hijacking weakness (CWE-613).

The issue affects the Open eClass community edition released as gunet:openeclass. Versions built from source prior to 4.2 are vulnerable; the fix was included in release 4.2 and later.

The base severity of the vulnerability is a moderate CVSS score of 5.0, and the EPSS score indicates an exploitation probability of less than 1%. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, the likely attack vector is an authenticated or partially authenticated operation where the attacker already possesses a valid session cookie or token; the attacker could also acquire a session token through other vulnerabilities such as XSS, but this is not explicitly disclosed. Exploitation requires that the attacker leverage a session that remained active after a password change and does not involve a separate vulnerability to obtain that token. The risk is that an attacker who gains ownership of a session token can continue to use the account with no indication of the password change; ongoing monitoring of session activity and audit logs is advised.