Kirby vulnerable to Insufficient Session Expiration after a password change
CVE-2023-38489

7.3HIGH

Key Information:

Vendor

getkirby

Status
kirby
Vendor
CVE Published:
27 July 2023

What is CVE-2023-38489?

A security flaw in Kirby CMS allows attackers to retain access to user sessions even after a password change. This can happen when a user logs in on shared or untrusted devices, permitting unauthorized access to their account. The issue stems from the failure to invalidate sessions tied to an old password. To mitigate this vulnerability, updates in versions 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 ensure that the system tracks hashed passwords for active sessions, effectively logging out users when a password is changed.

Affected Version(s)

kirby < 3.5.8.3 < 3.5.8.3

kirby >= 3.6.0, < 3.6.6.3 < 3.6.0, 3.6.6.3

kirby >= 3.7.0, < 3.7.5.2 < 3.7.0, 3.7.5.2

References

https://github.com/getkirby/kirby/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/getkirby/kirby/commit/7a0a2014c69fdb92...
x_refsource_MISC
https://github.com/getkirby/kirby/releases/tag/3.5.8.3
x_refsource_MISC

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.