CVE-2025-24859

CWE-613Insufficient Session ExpirationCWE-362Race Condition4 documents4 sources
Severity
2.1LOW
EPSS
0.1%
top 64.62%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache RollerApache Roller
Timeline
PublishedApr 14

Description

A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes. When a user's password is changed, either by the user themselves or by an administrator, existing sessions remain active and usable. This allows continued access to the application through old sessions even after password changes, potentially enabling unauthorized access if credentials were compromised. This issue affects Apache Roller v

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/S:N

Affected Packages2 packages

NVDapache/roller1.06.1.5
CVEListV5apache_software_foundation/apache_roller1.0.06.1.5

🔴Vulnerability Details

2
CVEList
Apache Roller: Insufficient Session Expiration on Password Change2025-04-14
GHSA
GHSA-fqfw-5jc9-hw27: A session management vulnerability exists in Apache Roller before version 62025-04-14

📋Vendor Advisories

1
Microsoft
Race condition vulnerability in Linux kernel bluetooth sniff_{minmax}_interval_set()2024-02-13