Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS00Mzh4LTJwOXYtZzhoOc4AArCm

Camaleon CMS Insufficient Session Expiration vulnerability

Camaleon CMS 0.1.7 through 2.6.0 doesn’t terminate the active session of the users, even after the admin changes the user’s password. A user that was already logged in, will still have access to the application even after the password was changed. Resolved in commit 77e31bc6cdde7c951fba104aebcd5ebb3f02b030 which is included in the 2.6.0.1 release.

Permalink: https://github.com/advisories/GHSA-438x-2p9v-g8h9
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00Mzh4LTJwOXYtZzhoOc4AArCm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: almost 2 years ago

CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Percentage: 0.00195
EPSS Percentile: 0.57187

Identifiers: GHSA-438x-2p9v-g8h9, CVE-2021-25970
References:

Repository: https://github.com/owen2345/camaleon-cms
Blast Radius: 11.3

Affected Packages

rubygems:camaleon_cms

Dependent packages: 7
Dependent repositories: 19
Downloads: 342,047 total
Affected Version Ranges: >= 0.1.7, < 2.6.0.1
Fixed in: 2.6.0.1
All affected versions: 0.1.7, 0.1.8, 0.1.9, 0.2.0, 0.2.1, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.1.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.8.0, 2.8.1, 2.8.2, 2.8.3
All unaffected versions: 0.0.1, 0.0.2, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6