Lucene search

K
nvd[email protected]NVD:CVE-2024-30262
HistoryApr 09, 2024 - 5:16 p.m.

CVE-2024-30262

2024-04-0917:16:02
CWE-613
CWE-384
web.nvd.nist.gov
contao cms
security issue
version 4.13.40
remember-me tokens
auto login disable

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

0.0004 Low

EPSS

Percentile

9.1%

Contao is an open source content management system. Prior to version 4.13.40, when a frontend member changes their password in the personal data or the password lost module, the corresponding remember-me tokens are not removed. If someone compromises an account and is able to get a remember-me token, changing the password would not be enough to reclaim control over the account. Version 4.13.40 contains a fix for the issue. As a workaround, disable “Allow auto login” in the login module.

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

0.0004 Low

EPSS

Percentile

9.1%

Related for NVD:CVE-2024-30262