Mend Vulnerability Database
What is a CVE vulnerability ID? What is a WS vulnerability ID?New vulnerability? Tell us about it!
We found results for “”
Date: October 20, 2021
OverviewCamaleon CMS 0.1.7 to 2.6.0 doesn’t terminate the active session of the users, even after the admin changes the user’s password. A user that was already logged in, will still have access to the application even after the password was changed.
DetailsCamaleon CMS doesn’t terminate the active session of the users, even after the admin changes the user’s password.
PoC DetailsLogin to the application as a non-admin user (for demonstration purposes, we’ll call him “Bob”), with a private window.
Now in a regular window, login as an administrator. Click on Users, All Users, Edit. Press the pencil button near “Bob” user. Change his password and save.
Go back to the private window, and notice Bob’s session persists even after the password was changed by the admin.
Affected EnvironmentsCamaleon CMS versions 0.1.7 to 2.6.0
PreventionUpdate to camaleon_cms version 22.214.171.124
Good to know:
|Attack Vector (AV):||Network|
|Attack Complexity (AC):||Low|
|Privileges Required (PR):||None|
|User Interaction (UI):||Required|
|Access Vector (AV):||Network|
|Access Complexity (AC):||Medium|