CVE-2021-21031 — Insufficient Session Expiration in Magento

CWE-613 — Insufficient Session Expiration4 documents4 sources

Severity

5.6MEDIUMNVD

EPSS

0.2%

top 53.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Magento Magento Community-edition Adobe Magento.com +1 more

Timeline

PublishedFeb 11

Latest updateMay 24

Description

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 2.2 | Impact: 3.4

Affected Packages4 packages

▶NVDmagento/magento< 2.3.6+3

▶Packagistmagento/community-edition2.4.0 — 2.4.1-p1+1

▶CVEListV5adobe/magento.comunspecified — 2.4.1+3

▶Packagistmagento/project-community-edition2.0.2

🔴Vulnerability Details

OSV

Magento Insufficient Session Expiration↗2022-05-24

▶

GHSA

Magento Insufficient Session Expiration↗2022-05-24

▶

CVEList

Magento Commerce Failure To Invalidate User Session Could Lead To Unauthorized Access↗2021-02-11

▶