Vulnerability DatabaseCVE-2024-30262
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2024-30262
April 09, 2024
Contao is an open source content management system. Prior to version 4.13.40, when a frontend member changes their password in the personal data or the password lost module, the corresponding remember-me tokens are not removed. If someone compromises an account and is able to get a remember-me token, changing the password would not be enough to reclaim control over the account. Version 4.13.40 contains a fix for the issue. As a workaround, disable "Allow auto login" in the login module.
Related ResourcesĀ (5)
https://nvd.nist.gov/vuln/detail/CVE-2024-30262
https://github.com/contao/contao
https://github.com/contao/contao/security/advisories/GHSA-r4r6-j2j3-7pp5
https://github.com/contao/contao/commit/3032baa456f607169ffae82a8920354adb338fe9
https://contao.org/en/security-advisories/remember-me-tokens-are-not-cleared-after-a-password-change
Do you need more information?
Contact Us
CVSS v4
Base Score:
6
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.9
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Insufficient Session Expiration
CWE-613
Session Fixation
CWE-384
EPSS
Base Score:
0.28