VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 29, 2023· Updated Apr 17, 2025

CVE-2023-31292

CVE-2023-31292

Description

Sesami CPTO 6.3.8.6 (#718) allows local attackers to steal user credentials via a browser 'Back Button Refresh' (Back-Back-Refresh) attack due to insufficient session expiration (CWE-613).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Sesami CPTO 6.3.8.6 (#718) allows local attackers to steal user credentials via a browser 'Back Button Refresh' (Back-Back-Refresh) attack due to insufficient session expiration (CWE-613).

Vulnerability

An issue was discovered in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718). The vulnerability is classified as CWE-613 (Insufficient Session Expiration) and allows a local attacker to perform a 'Back Button Refresh' (also known as Back-Back-Refresh) attack. When a victim logs out, the browser may still cache sensitive data including the username and password in the session history. The application does not properly invalidate the session on logout, leaving credentials accessible in the browser cache. This affects CPTO 6.3.8.6 (#718) as published on 2021-07-06 [1].

Exploitation

An attacker with local access to the victim's computer can initiate the attack by clicking the browser's back button after the victim has logged out. Upon reaching the 'Document Expired' page, the attacker clicks the 'Try Again' and 'Resend' buttons. Using the browser's Web Developer Tools, the attacker can then intercept the cached username and password of the logged-out user. The attack requires no special privileges beyond physical or remote local access to the victim's machine after logout [1].

Impact

Successful exploitation allows the attacker to obtain the victim's credentials, leading to a complete compromise of the victim's account. This results in unauthorized access to the CPTO application with the privileges of the victim, enabling potential data theft, manipulation of cash point and transport data, and further lateral movement within the system. The impact is high in terms of confidentiality and availability [1].

Mitigation

The vendor has acknowledged the vulnerability and fixed it. Users should update CPTO to its current version (beyond 6.3.8.6 (#718)). As of the advisory publication date (2023-12-21), the patch has been available. No workaround is provided in the references [1].

References
  1. usd-2022-0051 | usd HeroLab

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Sesami/Cash Point & Transport Optimizer (CPTO)description
  • Sesamie/Sesamiellm-fuzzy
    Range: = 6.3.8.6 (#718)

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Insufficient session expiration allows cached login credentials from a previous session to be replayed via the browser's back-button and document-expired page."

Attack vector

An attacker with local access to the victim's computer clicks the browser's back button after the victim has logged out of CPTO [ref_id=1]. The browser displays a "Document Expired" page; by clicking "Try Again" and "Resend," the cached POST request containing the victim's username and password is re-submitted [ref_id=1]. The attacker can intercept these credentials using the browser's Web Developer Tools [ref_id=1]. The attack requires the victim to have previously logged in on the same browser and then logged out, without the session being properly invalidated on the client side [CWE-613].

Affected code

The advisory does not specify particular files or functions. The vulnerability exists in the session management and logout handling of Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718) [ref_id=1].

What the fix does

The advisory states that users should update CPTO to its current version, but no patch diff is provided in the bundle [ref_id=1]. The vendor acknowledged the vulnerability and indicated a fix would be delivered in an autumn update [ref_id=1]. A proper fix would ensure that after logout the server instructs the browser to clear cached credentials (e.g., via Cache-Control headers) and that the session token is invalidated server-side so that replayed requests are rejected [CWE-613].

Preconditions

  • authVictim must have previously logged into CPTO on the same browser and then logged out.
  • networkAttacker must have local access to the victim's computer after the victim has logged out.
  • inputThe browser must still have the login POST request cached (no proper cache-control headers set by the server).

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.