Описание
Contao is an open source content management system. Prior to version 4.13.40, when a frontend member changes their password in the personal data or the password lost module, the corresponding remember-me tokens are not removed. If someone compromises an account and is able to get a remember-me token, changing the password would not be enough to reclaim control over the account. Version 4.13.40 contains a fix for the issue. As a workaround, disable "Allow auto login" in the login module.
Ссылки
- Patch
- Vendor Advisory
- Patch
- Vendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 4.13.40 (исключая)
cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*
EPSS
Процентиль: 44%
0.00212
Низкий
5.9 Medium
CVSS3
7.1 High
CVSS3
Дефекты
CWE-384
CWE-613
Связанные уязвимости
CVSS3: 5.9
github
почти 2 года назад
Contao: Remember-me tokens will not be cleared after a password change
EPSS
Процентиль: 44%
0.00212
Низкий
5.9 Medium
CVSS3
7.1 High
CVSS3
Дефекты
CWE-384
CWE-613