Vulnerabilities > CVE-2021-25966 - Insufficient Session Expiration vulnerability in Orchardcore Orchard Core 1.0.0

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

orchardcore

CWE-613

NVD

Published: 2021-10-10

Updated: 2022-02-25

Summary

In “Orchard core CMS” application, versions 1.0.0-beta1-3383 to 1.0.0 are vulnerable to an improper session termination after password change. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed.

Vulnerable Configurations

Part	Description	Count
Application	Orchardcore Orchardcore Orchard Core 1.0.0	2

Common Weakness Enumeration (CWE)

CWE-613 - Insufficient Session Expiration

References

https://github.com/OrchardCMS/OrchardCore/blob/v1.0.0/src/OrchardCore.Modules/OrchardCore.Users/Controllers/ResetPasswordController.cs#L123
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25966