Description

Contao is an open source content management system. Prior to version 4.13.40, when a frontend member changes their password in the personal data or the password lost module, the corresponding remember-me tokens are not removed. If someone compromises an account and is able to get a remember-me token, changing the password would not be enough to reclaim control over the account. Version 4.13.40 contains a fix for the issue. As a workaround, disable "Allow auto login" in the login module.

Remediation

References

CVE-2024-30262

Related Vulnerabilities

MediaWiki Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2013-1817)

WordPress Plugin Admin Custom Login Cross-Site Request Forgery (3.2.7)

Liferay Portal CVE-2022-45320 Vulnerability (CVE-2022-45320)

phpMyAdmin Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2014-4986)

WordPress Plugin Visualizer:Tables and Charts Manager for WordPress SQL Injection (3.11.1)

Severity

High

Classification

CVE-2024-30262 CWE-613 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Tags

Missing Update Known Vulnerabilities