Apostrophe - Insufficient Session Expiration

Apostrophe CMS versions prior to 3.3.1 did not invalidate existing login sessions when disabling a user account or changing the password, creating a situation in which a device compromised by a third party could not be locked out by those means. As a mitigation for older releases the user account in question can be archived (3.x) or moved to the trash (2.x and earlier) which does disable the existing session.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

不充分的会话过期机制

Apostrophe 代码问题漏洞

Apostrophe是美国Apostrophe公司的一个使用 Node.js 构建的全功能开源 Cms。旨在通过在全栈 Js 环境中结合上下文编辑和无头架构来增强组织的能力。 Apostrophe CMS 2.63.0到3.3.1版本存在代码问题漏洞，攻击者可利用该漏洞劫持最近登录的用户会话。

N/A

N/A