CVE-2021-25966 HIGH

CVE-2021-25966: Orchard Core CMS - Improper Session Termination after Password Change

Vendor Orchardcore
Product Users
Weakness CWE-613 · Insufficient session expiration
Published October 10, 2021
Last update April 30, 2025

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

In “Orchard core CMS” application, versions 1.0.0-beta1-3383 to 1.0.0 are vulnerable to an improper session termination after password change. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed.

Key dates

02Disclosure timeline

October 10, 2021 CVE published
April 30, 2025 Record updated