Headline

GHSA-r4r6-j2j3-7pp5: Contao: Remember-me tokens will not be cleared after a password change

Impact

When a front end member changes their password, the corresponding remember-me tokens are not removed.

Patches

Update to Contao 4.13.40.

Workarounds

Disable “Allow auto login” in the login module.

References

https://contao.org/en/security-advisories/remember-me-tokens-are-not-cleared-after-a-password-change

For more information

If you have any questions or comments about this advisory, open an issue in contao/contao.

9 months ago

ghsa

Open in Source

#git

Package

composer contao/core-bundle (Composer)

Affected versions

< 4.13.40

Patched versions

4.13.40

Description

Impact

When a front end member changes their password, the corresponding remember-me tokens are not removed.

Patches

Update to Contao 4.13.40.

Workarounds

Disable “Allow auto login” in the login module.

References

https://contao.org/en/security-advisories/remember-me-tokens-are-not-cleared-after-a-password-change

For more information

If you have any questions or comments about this advisory, open an issue in contao/contao.

References

GHSA-r4r6-j2j3-7pp5
contao/contao@3032baa
https://contao.org/en/security-advisories/remember-me-tokens-are-not-cleared-after-a-password-change

leofeyer published to contao/contao

Apr 9, 2024

Published to the GitHub Advisory Database

Apr 9, 2024

Reviewed

Apr 9, 2024

Last updated

Apr 9, 2024

ghsa: Latest News

GHSA-32q6-rr98-cjqv: OpenFGA Authorization Bypass

15 hours ago

ghsa

GHSA-w3g8-r9gw-qrh8: Denial of Service in Keycloak Server via Security Headers

18 hours ago

ghsa

GHSA-f4v7-3mww-9gc2: Keycloak allows unrestricted admin use of system and environment variables

18 hours ago

ghsa

GHSA-vh22-6c6h-rm8q: jte's HTML templates containing Javascript template strings are subject to XSS

18 hours ago

ghsa

GHSA-mgr7-5782-6jh9: The Umbraco Heartcore headless client library uses a vulnerable Refit dependency package

19 hours ago

ghsa