CVE-2021-25981

Talkyard - Insufficient Session Expiration

Description

In Talkyard, regular versions v0.2021.20 through v0.2021.33 and dev versions v0.2021.20 through v0.2021.34, are vulnerable to Insufficient Session Expiration. This may allow an attacker to reuse the admin’s still-valid session token even when logged-out, to gain admin privileges, given the attacker is able to obtain that token (via other, hypothetical attacks)

Remediation

Solution:

Upgrade to version v0.2021.35

References

Link	Tags
https://github.com/debiki/talkyard/commit/b0310df019887f3464895529c773bc7d85ddcf34	third party advisory patch
https://github.com/debiki/talkyard/commit/b0712915d8a22a20b09a129924e8a29c25ae5761	third party advisory patch
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25981	patch third party advisory vdb entry

Frequently Asked Questions

What is the severity of CVE-2021-25981?: CVE-2021-25981 has been scored as a critical severity vulnerability.
How to fix CVE-2021-25981?: To fix CVE-2021-25981: Upgrade to version v0.2021.35
Is CVE-2021-25981 being actively exploited in the wild?: It is possible that CVE-2021-25981 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~2% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-25981?: CVE-2021-25981 affects debiki talkyard.

This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.

Description

Remediation

Category

CWE-613 – Insufficient Session Expiration

References

Frequently Asked Questions