Contao's remember-me tokens will not be cleared after a password change
CVE-2024-30262

7.1HIGH

Key Information:

Vendor: Contao
Status: Contao
Vendor: CVE Published:; 9 April 2024

What is CVE-2024-30262?

A security vulnerability exists in Contao CMS where, before version 4.13.40, remember-me tokens remain active even after a frontend member changes their password. This oversight allows an attacker who has obtained a remember-me token to retain access to the compromised account despite the password change. The issue has been addressed in version 4.13.40, and users are advised to upgrade their systems promptly to ensure security. As a temporary workaround, disabling the 'Allow auto login' feature in the login module is recommended.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

contao < 4.13.40

References

https://github.com/contao/contao/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/contao/contao/commit/3032baa456f607169...

x_refsource_MISC

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 9, 2024
Vulnerability Reserved
Mar 26, 2024

JSON

Contao