Camaleon CMS 0.1.7 through 2.6.0 doesn’t terminate the active session of the users, even after the admin changes the user’s password. A user that was already logged in, will still have access to the application even after the password was changed. Resolved in commit 77e31bc6cdde7c951fba104aebcd5ebb3f02b030
which is included in the 2.6.0.1
release.
github.com/owen2345/camaleon-cms
github.com/owen2345/camaleon-cms/commit/77e31bc6cdde7c951fba104aebcd5ebb3f02b030
github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2021-25970.yml
nvd.nist.gov/vuln/detail/CVE-2021-25970
www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25970