CVE-2021-25970 HIGH

CVE-2021-25970: Camaleon CMS - Insufficient Session Expiration after Password Change

Vendor Camaleon_Cms
Product camaleon_cms
Weakness CWE-613 · Insufficient session expiration
Published October 20, 2021
Last update April 30, 2025

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Camaleon CMS 0.1.7 to 2.6.0 doesn’t terminate the active session of the users, even after the admin changes the user’s password. A user that was already logged in, will still have access to the application even after the password was changed.

Key dates

02Disclosure timeline

October 20, 2021 CVE published
April 30, 2025 Record updated