Vulnerabilities > CVE-2024-30262 - Insufficient Session Expiration vulnerability in Contao
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
LOW Availability impact
NONE Summary
Contao is an open source content management system. Prior to version 4.13.40, when a frontend member changes their password in the personal data or the password lost module, the corresponding remember-me tokens are not removed. If someone compromises an account and is able to get a remember-me token, changing the password would not be enough to reclaim control over the account. Version 4.13.40 contains a fix for the issue. As a workaround, disable "Allow auto login" in the login module.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://github.com/contao/contao/commit/3032baa456f607169ffae82a8920354adb338fe9
- https://github.com/contao/contao/commit/3032baa456f607169ffae82a8920354adb338fe9
- https://github.com/contao/contao/security/advisories/GHSA-r4r6-j2j3-7pp5
- https://github.com/contao/contao/security/advisories/GHSA-r4r6-j2j3-7pp5