Lucene search

GitHub Advisory DatabaseGHSA-VCGG-HP4R-87GX

HistoryMay 14, 2022 - 1:09 a.m.

Contao Does Not Invalidate Existing Sessions When Password Changes

2022-05-1401:09:10

CWE-640

GitHub Advisory Database

github.com

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

64.7%

JSON

Security researcher Ali Razzaq has discovered that existing sessions are not correctly invalidated when a user changes their password in the backend or frontend.

Affected configurations

Vulners

Node

contaocontaoRange<3.5.39

contaocontaoRange<4.7.3

contaocontaoRange<4.4.37

contaocontaoRange<4.7.3

contaocontaoRange<4.4.37

CPENameOperatorVersion
contao/corelt3.5.39
contao/core-bundlelt4.7.3
contao/core-bundlelt4.4.37
contao/contaolt4.7.3
contao/contaolt4.4.37

Name	Operator	Version
contao/core	lt	3.5.39
contao/core-bundle	lt	4.7.3
contao/core-bundle	lt	4.4.37
contao/contao	lt	4.7.3
contao/contao	lt	4.4.37

References

contao.org/en/news/security-vulnerability-cve-2019-10641.html

github.com/advisories/GHSA-vcgg-hp4r-87gx

github.com/contao/contao/commit/74c7dfafa0dfa5363a9463b486522d5d526e28fe

github.com/contao/contao/commit/b92e27bc7c9e59226077937f840c74ffd0f672e8

github.com/contao/core/commit/119a1b5bd9e62d27ca2838727084d04f3b7fcd32

github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2019-10641.yaml

github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2019-10641.yaml

github.com/FriendsOfPHP/security-advisories/blob/master/contao/core/CVE-2019-10641.yaml

nvd.nist.gov/vuln/detail/CVE-2019-10641

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

64.7%

JSON

Related for GHSA-VCGG-HP4R-87GX