We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
When a front end member changes their password, the corresponding remember-me tokens are not removed.
Update to Contao 4.13.40.
Disable "Allow auto login" in the login module.
https://contao.org/en/security-advisories/remember-me-tokens-are-not-cleared-after-a-password-change
If you have any questions or comments about this advisory, open an issue in contao/contao.
Impact
When a front end member changes their password, the corresponding remember-me tokens are not removed.
Patches
Update to Contao 4.13.40.
Workarounds
Disable "Allow auto login" in the login module.
References
https://contao.org/en/security-advisories/remember-me-tokens-are-not-cleared-after-a-password-change
For more information
If you have any questions or comments about this advisory, open an issue in contao/contao.