CVE-2021-25966

Name of the Vulnerable Software and Affected Versions Orchard core CMS versions 1.0.0-beta1-3383 to 1.0.0

Description The issue is related to an improper session termination after a password change. When a user or an administrator changes a password, a user who was already logged in will still have access to the application, even after the password was changed.

Recommendations For versions 1.0.0-beta1-3383 to 1.0.0, consider temporarily restricting access to the application for users who have changed their passwords until a proper session termination mechanism is implemented. As a temporary workaround, consider disabling the password change feature until a patch is available. Restrict access to the application for users who were logged in before a password change to minimize the risk of exploitation.