10

CVE-2021-25981

Talkyard - Insufficient Session Expiration

In Talkyard, regular versions v0.2021.20 through v0.2021.33 and dev versions v0.2021.20 through v0.2021.34, are vulnerable to Insufficient Session Expiration. This may allow an attacker to reuse the admin’s still-valid session token even when logged-out, to gain admin privileges, given the attacker is able to obtain that token (via other, hypothetical attacks)
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
TalkyardTalkyard Version >= 0.2021.20 < 0.2021.35
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.46% 0.824
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 10 10 10
AV:N/AC:L/Au:N/C:C/I:C/A:C
vulnerabilitylab@mend.io 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-613 Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

https://github.com/debiki/talkyard/commit/b0310df019887f3464895529c773bc7d85ddcf34
Patch
Third Party Advisory
https://github.com/debiki/talkyard/commit/b0712915d8a22a20b09a129924e8a29c25ae5761
Patch
Third Party Advisory
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25981
Patch
Third Party Advisory
VDB Entry