CVE-2024-30262

2024-04-0917:16:02

CWE-613

CWE-384

[email protected]

web.nvd.nist.gov

contao cms

open source

content management system

version 4.13.40

remember-me token

vulnerability

fix

auto login

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

6.7 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

Contao is an open source content management system. Prior to version 4.13.40, when a frontend member changes their password in the personal data or the password lost module, the corresponding remember-me tokens are not removed. If someone compromises an account and is able to get a remember-me token, changing the password would not be enough to reclaim control over the account. Version 4.13.40 contains a fix for the issue. As a workaround, disable “Allow auto login” in the login module.

Affected configurations

Vulners

Node

contaocontaoRange<4.13.40

VendorProductVersionCPE
contaocontao*cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
contao	contao	*	cpe:2.3:a:contao:contao::::::::

CNA Affected

[
  {
    "vendor": "contao",
    "product": "contao",
    "versions": [
      {
        "version": "< 4.13.40",
        "status": "affected"
      }
    ]
  }
]