Description

Apostrophe CMS versions prior to 3.3.1 did not invalidate existing login sessions when disabling a user account or changing the password, creating a situation in which a device compromised by a third party could not be locked out by those means. As a mitigation for older releases the user account in question can be archived (3.x) or moved to the trash (2.x and earlier) which does disable the existing session.

Remediation

References

https://github.com/apostrophecms/apostrophe/commit/c211b211f9f4303a77a307cf41aac9b4ef8d2c7c

Related Vulnerabilities

CVE-2022-36944 Vulnerability in maven package org.scala-lang:scala-library

CVE-2022-25354 Vulnerability in npm package set-in

CVE-2021-3827 Vulnerability in maven package org.keycloak:keycloak-services

CVE-2022-24901 Vulnerability in npm package parse-server

CVE-2022-27139 Vulnerability in npm package ghost

Severity

Critical

Tags

Patch Third Party Advisory NVD-CWE-noinfo