Apostrophe CMS versions before 3.3.1 did not invalidate existing login sessions when disabling a user account or changing the password, creating a situation in which a device compromised by a third party could not be locked out by those means. As a mitigation for older releases the user account in question can be archived (3.x) or moved to the trash (2.x and previous versions) which does disable the existing session.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apostrophecms apostrophecms |