CVE-2021-25970
published 2021-10-20CVE-2021-25970: Camaleon CMS 0.1.7 to 2.6.0 doesn’t terminate the active session of the users, even after the admin changes the user’s password. A user that was already logged…
PriorityP341high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
1.26%
66.1th percentile
Camaleon CMS 0.1.7 to 2.6.0 doesn’t terminate the active session of the users, even after the admin changes the user’s password. A user that was already logged in, will still have access to the application even after the password was changed.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| camaleon_cms | camaleon_cms | >= 0.1.7 < unspecified | unspecified |
| camaleon_cms | camaleon_cms | >= 0.1.7 < 2.6.0.1 | 2.6.0.1 |
| camaleon_cms | camaleon_cms | unspecified – 2.6.0 | — |
| tuzitio | camaleon_cms | 0.1.7 – 2.6.0 | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Camaleon CMS Insufficient Session Expiration vulnerability
ghsa·2022-05-24
CVE-2021-25970 [HIGH] CWE-613 Camaleon CMS Insufficient Session Expiration vulnerability
Camaleon CMS Insufficient Session Expiration vulnerability
Camaleon CMS 0.1.7 through 2.6.0 doesn’t terminate the active session of the users, even after the admin changes the user’s password. A user that was already logged in, will still have access to the application even after the password was changed. Resolved in commit `77e31bc6cdde7c951fba104aebcd5ebb3f02b030` which is included in the `2.6.0.1` release.
OSV
Camaleon CMS Insufficient Session Expiration vulnerability
osv·2022-05-24
CVE-2021-25970 [HIGH] Camaleon CMS Insufficient Session Expiration vulnerability
Camaleon CMS Insufficient Session Expiration vulnerability
Camaleon CMS 0.1.7 through 2.6.0 doesn’t terminate the active session of the users, even after the admin changes the user’s password. A user that was already logged in, will still have access to the application even after the password was changed. Resolved in commit `77e31bc6cdde7c951fba104aebcd5ebb3f02b030` which is included in the `2.6.0.1` release.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/owen2345/camaleon-cms/commit/77e31bc6cdde7c951fba104aebcd5ebb3f02b030https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25970https://github.com/owen2345/camaleon-cms/commit/77e31bc6cdde7c951fba104aebcd5ebb3f02b030https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25970
2021-10-20
Published