CVE-2020-18701: 
Python vulnerability analysis and mitigation

Incorrect Access Control in Lin-CMS-Flask v0.1.1 allows remote attackers to obtain sensitive information and/or gain privileges due to the application not invalidating a user's authentication token upon logout, which allows for replaying packets (NVD). The vulnerability was disclosed on August 16, 2021, and affects the Lin-CMS-Flask framework version 0.1.1.

The vulnerability is classified with a CVSS v3.1 Base Score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue stems from insufficient session expiration, specifically related to CWE-613 (Insufficient Session Expiration), where the application fails to properly invalidate authentication tokens after user logout (MITRE CWE).

The vulnerability allows remote attackers to gain unauthorized access to sensitive information and potentially escalate privileges. Since the authentication tokens remain valid after logout, attackers can replay captured requests to access protected resources and perform actions with the original user's privileges (NVD).

The vulnerability affects Lin-CMS-Flask version 0.1.1. Users should upgrade to a newer version of the framework that properly invalidates authentication tokens upon user logout. Additionally, implementing proper session expiration mechanisms and token invalidation during the logout process is recommended (NVD).