CVE-2024-30262 MEDIUM

CVE-2024-30262: Contao's remember-me tokens will not be cleared after a password change

Vendor Contao
Product contao
Weakness CWE-613 · Insufficient session expiration
Published April 9, 2024
Last update August 2, 2024

CVSS base score

5.9/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

Contao is an open source content management system. Prior to version 4.13.40, when a frontend member changes their password in the personal data or the password lost module, the corresponding remember-me tokens are not removed. If someone compromises an account and is able to get a remember-me token, changing the password would not be enough to reclaim control over the account. Version 4.13.40 contains a fix for the issue. As a workaround, disable "Allow auto login" in the login module.

Key dates

02Disclosure timeline

April 9, 2024 CVE published
August 2, 2024 Record updated