Contao's remember-me tokens will not be cleared after a password change

Contao is an open source content management system. Prior to version 4.13.40, when a frontend member changes their password in the personal data or the password lost module, the corresponding remember-me tokens are not removed. If someone compromises an account and is able to get a remember-me token, changing the password would not be enough to reclaim control over the account. Version 4.13.40 contains a fix for the issue. As a workaround, disable "Allow auto login" in the login module.

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

不充分的会话过期机制

Contao 安全漏洞

Contao是一套采用PHP开发的开源内容管理系统（CMS）。该系统支持搜索引擎、权限管理和CSS框架等。 Contao 4.13.40 之前版本存在安全漏洞，该漏洞源于当前端更改密码后，令牌不会被清除。

N/A

N/A