CVE-2021-25981 - In Talkyard, regular versions v0.2021.20 through v0.2021.33 and dev versions v0.2021.20 through v0.2

CVE-2021-25981

Summary

In Talkyard, regular versions v0.2021.20 through v0.2021.33 and dev versions v0.2021.20 through v0.2021.34, are vulnerable to Insufficient Session Expiration. This may allow an attacker to reuse the admin’s still-valid session token even when logged-out, to gain admin privileges, given the attacker is able to obtain that token (via other, hypothetical attacks)

References

https://github.com/debiki/talkyard/commit/b0310df019887f3464895529c773bc7d85ddcf34
https://github.com/debiki/talkyard/commit/b0712915d8a22a20b09a129924e8a29c25ae5761
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25981

Vulnerable Configurations

cpe:2.3:a:talkyard:talkyard:*:*:*:*:*:*:*:*
cpe:2.3:a:talkyard:talkyard:*:*:*:*:*:*:*:*

CVSS

Base:	10.0 (as of 14-01-2022 - 18:26)
Impact:
Exploitability:

CWE

CWE-613

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:N/AC:L/Au:N/C:C/I:C/A:C

Last major update

14-01-2022 - 18:26

Published

03-01-2022 - 07:15

Last modified

14-01-2022 - 18:26