CVE-2021-25979 CRITICAL

CVE-2021-25979: Apostrophe - Insufficient Session Expiration

Vendor Apostrophe
Product Apostrophe
Weakness CWE-613 · Insufficient session expiration
Published November 8, 2021
Last update April 30, 2025

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Apostrophe CMS versions prior to 3.3.1 did not invalidate existing login sessions when disabling a user account or changing the password, creating a situation in which a device compromised by a third party could not be locked out by those means. As a mitigation for older releases the user account in question can be archived (3.x) or moved to the trash (2.x and earlier) which does disable the existing session.

Key dates

02Disclosure timeline

November 8, 2021 CVE published
April 30, 2025 Record updated