Apostrophe CMS versions prior to 3.3.1 did not invalidate existing login sessions when disabling a user account or changing the password, creating a situation in which a device compromised by a third party could not be locked out by those means. As a mitigation for older releases the user account in question can be archived (3.x) or moved to the trash (2.x and earlier) which does disable the existing session.
References
Link | Resource |
---|---|
https://github.com/apostrophecms/apostrophe/commit/c211b211f9f4303a77a307cf41aac9b4ef8d2c7c | Patch Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: Mend
Published: 2021-11-08T14:20:11
Updated: 2022-08-10T14:10:09
Reserved: 2021-01-22T00:00:00
Link: CVE-2021-25979
JSON object: View
NVD Information
Status : Modified
Published: 2021-11-08T15:15:07.743
Modified: 2022-08-10T14:25:05.493
Link: CVE-2021-25979
JSON object: View
Redhat Information
No data.
CWE