PT-2021-16903 · Unknown · Apostrophe Cms
Daniel Elkabes
·
Published
2021-11-08
·
Updated
2022-08-10
·
CVE-2021-25979
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Apostrophe CMS versions prior to 3.3.1
Description
The issue allows unauthenticated remote attackers to hijack recently logged-in users' sessions due to insufficient session expiration. This can occur when a device is compromised by a third party and cannot be locked out by disabling a user account or changing the password.
Recommendations
For versions prior to 3.3.1, as a mitigation measure, the user account in question can be archived (for 3.x releases) or moved to the trash (for 2.x and earlier releases), which disables the existing session.
For versions 3.x, archive the user account to disable the existing session.
For versions 2.x and earlier, move the user account to the trash to disable the existing session.
Fix
Insufficient Session Expiration
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apostrophe Cms