CRITICAL 9.8

GHSA-9j9m-8wjc-ff96

Apostrophe CMS Insufficient Session Expiration vulnerability

Details

Apostrophe CMS versions between 2.63.0 to 3.3.1 affected by an insufficient session expiration vulnerability, which allows unauthenticated remote attackers to hijack recently logged-in users' sessions. As a mitigation for older releases the user account in question can be archived (3.x) or moved to the trash (2.x and earlier) which does disable the existing session.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / apostrophe

Introduced in: 2.63.0 Fixed in: 3.4.0

Fix npm install apostrophe@3.4.0

References

https://nvd.nist.gov/vuln/detail/CVE-2021-25979 [ADVISORY]
https://github.com/apostrophecms/apostrophe/commit/c211b211f9f4303a77a307cf41aac9b4ef8d2c7c [WEB]
https://github.com/apostrophecms/apostrophe [PACKAGE]