PT-2021-20051 · Octobercms · October
Daftspunk
·
Published
2021-02-05
·
Updated
2021-03-15
·
CVE-2021-3311
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
October versions prior to 1.0.472
October versions prior to 1.1.2
Description
An issue was discovered where an old session ID is reactivated once a new login occurs, violating the intended authentication behavior. This issue is relevant if an old session ID is known to an attacker. When logging out, the session ID was not invalidated, which means that anyone who gained access to the old session cookie would be able to act as the logged-in user.
Recommendations
For versions prior to 1.0.472, update to Build 472 or apply the patch from https://github.com/octobercms/library/commit/642f597489e6f644d4bd9a0c267e864cabead024 to your installation manually.
For versions prior to 1.1.2, update to v1.1.2 or apply the patch from https://github.com/octobercms/library/commit/642f597489e6f644d4bd9a0c267e864cabead024 to your installation manually.
Exploit
Fix
Insufficient Session Expiration
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
October