CVE-2021-25981 CRITICAL

CVE-2021-25981: Talkyard - Insufficient Session Expiration

Vendor Debiki
Product talkyard
Weakness CWE-613 · Insufficient session expiration
Published January 3, 2022
Last update August 3, 2024

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

In Talkyard, regular versions v0.2021.20 through v0.2021.33 and dev versions v0.2021.20 through v0.2021.34, are vulnerable to Insufficient Session Expiration. This may allow an attacker to reuse the admin’s still-valid session token even when logged-out, to gain admin privileges, given the attacker is able to obtain that token (via other, hypothetical attacks)

Key dates

02Disclosure timeline

January 3, 2022 CVE published
August 3, 2024 Record updated