CVE-2021-25979 – apostrophe

Package

Manager: npm
Name: apostrophe
Vulnerable Version: >=2.63.0 <3.4.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00363 pctl0.57634

Details

Apostrophe CMS Insufficient Session Expiration vulnerability Apostrophe CMS versions between 2.63.0 to 3.3.1 affected by an insufficient session expiration vulnerability, which allows unauthenticated remote attackers to hijack recently logged-in users' sessions. As a mitigation for older releases the user account in question can be archived (3.x) or moved to the trash (2.x and earlier) which does disable the existing session.

Metadata

Created: 2021-11-10T17:02:44Z
Modified: 2022-08-22T22:01:24Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-9j9m-8wjc-ff96/GHSA-9j9m-8wjc-ff96.json
CWE IDs: ["CWE-613"]
Alternative ID: GHSA-9j9m-8wjc-ff96
Finding: F280
Auto approve: 1