CVE-2021-25981 Information

Description

In Talkyard regular versions v0.2021.20 through v0.2021.33 and dev versions v0.2021.20 through v0.2021.34 are vulnerable to Insufficient Session Expiration. This may allow an attacker to reuse the admin’s still-valid session token even when logged-out to gain admin privileges given the attacker is able to obtain that token (via other hypothetical attacks)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://github.com/debiki/talkyard/commit/b0310df019887f3464895529c773bc7d85ddcf34 https://github.com/debiki/talkyard/commit/b0712915d8a22a20b09a129924e8a29c25ae5761 https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25981

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8