Description
Contao is an open source content management system. Prior to version 4.13.40, when a frontend member changes their password in the personal data or the password lost module, the corresponding remember-me tokens are not removed. If someone compromises an account and is able to get a remember-me token, changing the password would not be enough to reclaim control over the account. Version 4.13.40 contains a fix for the issue. As a workaround, disable "Allow auto login" in the login module.
Remediation
References
Related Vulnerabilities
MediaWiki Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2013-1817)
WordPress Plugin Admin Custom Login Cross-Site Request Forgery (3.2.7)
Liferay Portal CVE-2022-45320 Vulnerability (CVE-2022-45320)
WordPress Plugin Visualizer:Tables and Charts Manager for WordPress SQL Injection (3.11.1)