What is CVE-2021-25979?

CVE-2021-25979 is a vulnerability in Apostrophe CMS versions prior to 3.3.1.

What is the severity of CVE-2021-25979?

CVE-2021-25979 has a severity value of 9.8 which is considered critical.

How does CVE-2021-25979 affect Apostrophe CMS?

CVE-2021-25979 allows a compromised device to not be locked out when a user account is disabled or password is changed in Apostrophe CMS versions prior to 3.3.1.

How can I mitigate the impact of CVE-2021-25979?

To mitigate CVE-2021-25979, it is recommended to update Apostrophe CMS to version 3.3.1 or later.

Is there a reference to learn more about CVE-2021-25979?

Yes, you can find more information about CVE-2021-25979 at the following link: [GitHub Commit](https://github.com/apostrophecms/apostrophe/commit/c211b211f9f4303a77a307cf41aac9b4ef8d2c7c).

Vulnerability/
CVE-2021-25979

critical

9.8

CWE

613

8/11/2021

3/8/2024

CVE-2021-25979: Apostrophe - Insufficient Session Expiration

First published: Mon Nov 08 2021(Updated: )

Apostrophe CMS versions prior to 3.3.1 did not invalidate existing login sessions when disabling a user account or changing the password, creating a situation in which a device compromised by a third party could not be locked out by those means. As a mitigation for older releases the user account in question can be archived (3.x) or moved to the trash (2.x and earlier) which does disable the existing session.

Credit: vulnerabilitylab@mend.io

Affected Software	Affected Version	How to fix
Apostrophecms Apostrophecms	>=2.63.0<3.3.1

Remedy

https://github.com/apostrophecms/apostrophe/commit/c211b211f9f4303a77a307cf41aac9b4ef8d2c7c

Remedy

Upgrade to version 3.4.0

Never miss a vulnerability like this again

Reference Links

https://github.com/apostrophecms/apostrophe/commit/c211b211f9f4303a77a307cf41aac9b4ef8d2c7c

Frequently Asked Questions

What is CVE-2021-25979?
CVE-2021-25979 is a vulnerability in Apostrophe CMS versions prior to 3.3.1.
What is the severity of CVE-2021-25979?
CVE-2021-25979 has a severity value of 9.8 which is considered critical.
How does CVE-2021-25979 affect Apostrophe CMS?
CVE-2021-25979 allows a compromised device to not be locked out when a user account is disabled or password is changed in Apostrophe CMS versions prior to 3.3.1.
How can I mitigate the impact of CVE-2021-25979?
To mitigate CVE-2021-25979, it is recommended to update Apostrophe CMS to version 3.3.1 or later.
Is there a reference to learn more about CVE-2021-25979?
Yes, you can find more information about CVE-2021-25979 at the following link: [GitHub Commit](https://github.com/apostrophecms/apostrophe/commit/c211b211f9f4303a77a307cf41aac9b4ef8d2c7c).

collector/nvd-index
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/title
agent/remedy
agent/weakness
agent/severity
agent/references
agent/author
agent/event
agent/description
agent/first-publish-date
agent/tags
agent/source
vendor/apostrophecms
canonical/apostrophecms apostrophecms
version/apostrophecms apostrophecms/2.63.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.