derhansen/fe_change_pwd uses insecure session management. The vulnerability exists because the updatePassword
functions in FrontendUserService.php
fails to revoke existing sessions for the current user when the password has been changed, allowing an attacker to bypass the authentication mechanism.
CPE | Name | Operator | Version |
---|---|---|---|
derhansen/fe_change_pwd | le | 2.0.4 | |
derhansen/fe_change_pwd | le | 3.0.2 | |
derhansen/fe_change_pwd | le | 2.0.4 | |
derhansen/fe_change_pwd | le | 3.0.2 |