Skip to content

Remember-me tokens are not cleared after a password change

Moderate
leofeyer published GHSA-r4r6-j2j3-7pp5 Apr 9, 2024

Package

composer contao/core-bundle (Composer)

Affected versions

<4.13.40

Patched versions

4.13.40

Description

Impact

When a front end member changes their password, the corresponding remember-me tokens are not removed.

Patches

Update to Contao 4.13.40.

Workarounds

Disable "Allow auto login" in the login module.

References

https://contao.org/en/security-advisories/remember-me-tokens-are-not-cleared-after-a-password-change

For more information

If you have any questions or comments about this advisory, open an issue in contao/contao.

Severity

Moderate
5.4
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CVE ID

CVE-2024-30262

Weaknesses

No CWEs

Credits