CVE-2021-25979
Apostrophe CMS Insufficient Session Expiration vulnerability
9.8
CRITICAL
CVSS 3.1
EPSS 0.35%
Description
Apostrophe CMS versions between 2.63.0 to 3.3.1 affected by an insufficient session expiration vulnerability, which allows unauthenticated remote attackers to hijack recently logged-in users' sessions. As a mitigation for older releases the user account in question can be archived (3.x) or moved to the trash (2.x and earlier) which does disable the existing session.
How to fix CVE-2021-25979
To remediate CVE-2021-25979, upgrade the affected package to a fixed version below.
- —upgrade to 3.4.0 or later
Is CVE-2021-25979 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 2.63.0, < 3.4.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |