Apostrophe CMS Insufficient Session Expiration vulnerability

GHSA-9j9m-8wjc-ff96 · CVE-2021-25979

Published Nov 10, 2021 · Modified Nov 8, 2023

Description

Apostrophe CMS versions between 2.63.0 to 3.3.1 affected by an insufficient session expiration vulnerability, which allows unauthenticated remote attackers to hijack recently logged-in users' sessions. As a mitigation for older releases the user account in question can be archived (3.x) or moved to the trash (2.x and earlier) which does disable the existing session.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2021-25979
WEB https://github.com/apostrophecms/apostrophe/commit/c211b211f9f4303a77a307cf41aac9b4ef8d2c7c
PACKAGE https://github.com/apostrophecms/apostrophe

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes