CVE-2024-30262

HIGH Year: 2024
CVSS v3 Score
7.1
High
Weakness Type
CWE-384
View all →

Vulnerability Description

Contao is an open source content management system. Prior to version 4.13.40, when a frontend member changes their password in the personal data or the password lost module, the corresponding remember-me tokens are not removed. If someone compromises an account and is able to get a remember-me token, changing the password would not be enough to reclaim control over the account. Version 4.13.40 contains a fix for the issue. As a workaround, disable "Allow auto login" in the login module.

Related Vulnerabilities

CVE-2022-24781

HIGH
CVSS:7.1(High)

Geon is a board game based on solving questions about the Pythagorean Theorem. Malicious users can obtain the uuid from other users, spoof that uuid through the browser console and become co-owners of...

CWE-3842022

CVE-2024-56529

HIGH
CVSS:7.1(High)

Mailcow through 2024-11b has a session fixation vulnerability in the web panel. It allows remote attackers to set a session identifier when HSTS is disabled on a victim's browser. After a user logs in...

CWE-3842024

CVE-2024-7341

HIGH
CVSS:7.1(High)

A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin optio...

CWE-3842024

CVE-2016-6043

HIGH
CVSS:7.0(High)

Tivoli Storage Manager Operations Center could allow a local user to take over a previously logged in user due to session expiration not being enforced.

CWE-3842016

CVE-2023-24477

MEDIUM
CVSS:7.0(High)

In certain conditions, depending on timing and the usage of the Chrome web browser, Guardian/CMC versions before 22.6.2 do not always completely invalidate the user session upon logout. Thus an authen...

CWE-3842023

CVE-2019-5406

HIGH
CVSS:7.2(High)

A remote session reuse vulnerability was discovered in HPE 3PAR StoreServ Management and Core Software Media version(s): prior to 3.5.0.1.

CWE-3842019