Camaleon CMS Insufficient Session Expiration vulnerability

GHSA-438x-2p9v-g8h9 · CVE-2021-25970

Published May 24, 2022 · Modified Nov 8, 2023

Description

Camaleon CMS 0.1.7 through 2.6.0 doesn’t terminate the active session of the users, even after the admin changes the user’s password. A user that was already logged in, will still have access to the application even after the password was changed. Resolved in commit 77e31bc6cdde7c951fba104aebcd5ebb3f02b030 which is included in the 2.6.0.1 release.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2021-25970
WEB https://github.com/owen2345/camaleon-cms/commit/77e31bc6cdde7c951fba104aebcd5ebb3f02b030
PACKAGE https://github.com/owen2345/camaleon-cms
WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2021-25970.yml
WEB https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25970

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes