
We found results for “”
CVE-2021-25970
Date: October 20, 2021
Overview
Camaleon CMS 0.1.7 to 2.6.0 doesn’t terminate the active session of the users, even after the admin changes the user’s password. A user that was already logged in, will still have access to the application even after the password was changed.Details
Camaleon CMS doesn’t terminate the active session of the users, even after the admin changes the user’s password.PoC Details
Login to the application as a non-admin user (for demonstration purposes, we’ll call him “Bob”), with a private window.Now in a regular window, login as an administrator. Click on Users, All Users, Edit. Press the pencil button near “Bob” user. Change his password and save.
Go back to the private window, and notice Bob’s session persists even after the password was changed by the admin.
Affected Environments
Camaleon CMS versions 0.1.7 to 2.6.0Prevention
Update to camaleon_cms version 2.6.0.1Language: Ruby
Good to know:

Base Score: |
|
---|---|
Attack Vector (AV): | Network |
Attack Complexity (AC): | Low |
Privileges Required (PR): | None |
User Interaction (UI): | Required |
Scope (S): | Unchanged |
Confidentiality (C): | High |
Integrity (I): | High |
Availability (A): | High |
Base Score: |
|
---|---|
Access Vector (AV): | Network |
Access Complexity (AC): | Medium |
Authentication (AU): | None |
Confidentiality (C): | Partial |
Integrity (I): | Partial |
Availability (A): | Partial |
Additional information: |