CVE-2021-25970 — Camaleon CMS Insufficient Session Expiration vulnerability

Description

Camaleon CMS 0.1.7 through 2.6.0 doesn’t terminate the active session of the users, even after the admin changes the user’s password. A user that was already logged in, will still have access to the application even after the password was changed. Resolved in commit `77e31bc6cdde7c951fba104aebcd5ebb3f02b030` which is included in the `2.6.0.1` release.

How to fix CVE-2021-25970

To remediate CVE-2021-25970, upgrade the affected package to a fixed version below.

—upgrade to 2.6.0.1 or later

Is CVE-2021-25970 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 0.1.7, < 2.6.0.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-25970
PATCHgithub.com/owen2345/camaleon-cms
WEBgithub.com/owen2345/camaleon-cms/commit/77e31bc6cdde7c951fba104aebcd5ebb3f02b030
WEBgithub.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2021-25970.yml