PT-2022-9686 · Talkyard · Talkyard

Published

2022-01-03

Updated

2022-01-14

CVE-2021-25981

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Talkyard versions v0.2021.20 through v0.2021.33 Talkyard dev versions v0.2021.20 through v0.2021.34

Description The issue is related to Insufficient Session Expiration, which may allow an attacker to reuse the admin's still-valid session token even when logged-out, to gain admin privileges, given the attacker is able to obtain that token via other hypothetical attacks.

Recommendations For Talkyard versions v0.2021.20 through v0.2021.33, update to a version outside of this range to mitigate the risk. For Talkyard dev versions v0.2021.20 through v0.2021.34, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to session tokens to minimize the risk of exploitation.

Fix

Insufficient Session Expiration

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-613

Related Identifiers

CVE-2021-25981

Affected Products

Talkyard

PT-2022-9686 · Talkyard · Talkyard

CVE-2021-25981

Weakness Enumeration

Related Identifiers

Affected Products

References · 6