GHSA-438x-2p9v-g8h9
Vulnerability from github
Published
2022-05-24 22:28
Modified
2023-03-01 18:56
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Camaleon CMS Insufficient Session Expiration vulnerability
Details

Camaleon CMS 0.1.7 through 2.6.0 doesn’t terminate the active session of the users, even after the admin changes the user’s password. A user that was already logged in, will still have access to the application even after the password was changed. Resolved in commit 77e31bc6cdde7c951fba104aebcd5ebb3f02b030 which is included in the 2.6.0.1 release.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "camaleon_cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1.7"
            },
            {
              "fixed": "2.6.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-25970"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-24T15:59:43Z",
    "nvd_published_at": "2021-10-20T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "Camaleon CMS 0.1.7 through 2.6.0 doesn\u2019t terminate the active session of the users, even after the admin changes the user\u2019s password. A user that was already logged in, will still have access to the application even after the password was changed. Resolved in commit `77e31bc6cdde7c951fba104aebcd5ebb3f02b030` which is included in the `2.6.0.1` release.",
  "id": "GHSA-438x-2p9v-g8h9",
  "modified": "2023-03-01T18:56:46Z",
  "published": "2022-05-24T22:28:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25970"
    },
    {
      "type": "WEB",
      "url": "https://github.com/owen2345/camaleon-cms/commit/77e31bc6cdde7c951fba104aebcd5ebb3f02b030"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/owen2345/camaleon-cms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2021-25970.yml"
    },
    {
      "type": "WEB",
      "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25970"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Camaleon CMS Insufficient Session Expiration vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.