Felix Schäfer

**Name of the Vulnerable Software and Affected Versions** Redmine versions 4.2.0 through 4.2.1 **Description** The issue is related to the incorrect session expiration in Redmine, a web application for project and task management. When two-factor authentication is enabled for a user's account, existing user sessions are not terminated as intended, allowing them to continue. This could potentially be exploited by a remote attacker to continue accessing the user's account without proper authentication. **Recommendations** For Redmine versions 4.2.0 and 4.2.1, consider terminating all existing user sessions immediately after enabling two-factor authentication for the user's account as a temporary workaround. At the moment, there is no information about a newer version that contains a fix for this vulnerability.