CVE-2021-3311
CRITICAL9.8EPSS 1.5%October CMS Session ID not invalidated after logout
Description
### Impact When logging out, the session ID was not invalidated. This is not a problem while the user is logged out, but as soon as the user logs back in the old session ID would be valid again; which means that anyone that gained access to the old session cookie would be able to act as the logged in user. This is not a major concern for the majority of cases, since it requires a malicious party gaining access to the session cookie in the first place, but nevertheless has been fixed. ### Patches Issue has been patched in Build 472 (v1.0.472) and v1.1.2. ### Workarounds Apply https://github.com/octobercms/library/commit/642f597489e6f644d4bd9a0c267e864cabead024 to your installation manually if unable to upgrade to Build 472 or v1.1.2. ### References - Reported by Anisio (Brazilian Information Security Analyst) - http://cve.circl.lu/cve/CVE-2021-3311 ### For more information If you have any questions or comments about this advisory: * Email us at [[email protected]](mailto:[email protected]) ### Threat assessment: <img width="699" alt="Screen Shot 2021-02-07 at 11 50 35 PM" src="https://user-images.githubusercontent.com/7253840/107180881-51eaf000-699f-11eb-8828-333128faf2a6.png">
Affected packages (1)
- Packagist/october/rainfrom 0, < 1.0.472
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-3311
- WEBhttp://cve.circl.lu/cve/CVE-2021-3311
- WEBhttps://anisiosantos.me/october-cms-token-reactivation
- WEBhttps://github.com/octobercms/library/commit/642f597489e6f644d4bd9a0c267e864cabead024
- WEBhttps://github.com/octobercms/october/security/advisories/GHSA-7ggw-h8pp-r95r
- WEBhttps://octobercms.com/forum/chan/announcements
- WEBhttps://packagist.org/packages/october/rain