CVE-2021-25979

2021-11-0815:15:07

Google

osv.dev

6.6 Medium

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

75.6%

JSON

Apostrophe CMS versions prior to 3.3.1 did not invalidate existing login sessions when disabling a user account or changing the password, creating a situation in which a device compromised by a third party could not be locked out by those means. As a mitigation for older releases the user account in question can be archived (3.x) or moved to the trash (2.x and earlier) which does disable the existing session.

CPENameOperatorVersion
apostropheeq2.67.0
apostropheeq3.0.0-alpha.3
apostropheeq3.0.0-alpha.4
apostropheeq3.0.0-alpha.4.2
apostropheeq2.66.0
apostropheeq3.0.0-beta.1
apostropheeq3.3.0
apostropheeq3.2.0
apostropheeq3.0.0
apostropheeq3.0.0-alpha.4.1

Name	Operator	Version
apostrophe	eq	2.67.0
apostrophe	eq	3.0.0-alpha.3
apostrophe	eq	3.0.0-alpha.4
apostrophe	eq	3.0.0-alpha.4.2
apostrophe	eq	2.66.0
apostrophe	eq	3.0.0-beta.1
apostrophe	eq	3.3.0
apostrophe	eq	3.2.0
apostrophe	eq	3.0.0
apostrophe	eq	3.0.0-alpha.4.1