We found results for “”
WS-2022-0336
Good to know:
Date: October 4, 2022
An Insufficient Session Expiration exists Elgg through 3.3.24 and 4.x through 4.3.2. Active sessions are not invalidated after a password change or after an admin resets the user's password. An old session can be used by an attacker even after the password has been changed or reset. A password change is a way to react to an account breach and should guarantee that the attacker no longer has access. However, in this case the session is still active and the attacker can perform all actions tied to that session until it expires. Versions 3.3.25 and 4.3.3 contain a patch for this issue.
Language: PHP
Severity Score
Severity Score
Weakness Type (CWE)
Insufficient Session Expiration
CWE-613Top Fix
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | NONE |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | HIGH |
Integrity (I): | HIGH |
Availability (A): | HIGH |