CVE-2021-25981

EPSS 2.11%
Veröffentlicht 03.01.2022 07:15:06
Zuletzt bearbeitet 21.11.2024 05:55:43
Quelle vulnerabilitylab@mend.io
CVE-Watchlists
Login
Unerledigt
Login

In Talkyard, regular versions v0.2021.20 through v0.2021.33 and dev versions v0.2021.20 through v0.2021.34, are vulnerable to Insufficient Session Expiration. This may allow an attacker to reuse the admin’s still-valid session token even when logged-out, to gain admin privileges, given the attacker is able to obtain that token (via other, hypothetical attacks)

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Talkyard ≫ Talkyard Version >= 0.2021.20 < 0.2021.35

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	2.11%	0.834

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	10	10	10	AV:N/AC:L/Au:N/C:C/I:C/A:C
vulnerabilitylab@mend.io	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-613 Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

https://github.com/debiki/talkyard/commit/b0310df019887f3464895529c773bc7d85ddcf34

Patch

Third Party Advisory

https://github.com/debiki/talkyard/commit/b0712915d8a22a20b09a129924e8a29c25ae5761

Patch

Third Party Advisory

https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25981

Patch

Third Party Advisory

VDB Entry

https://nvd.nist.gov/vuln/detail/CVE-2021-25981

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-25981

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-25981

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2021-25981