Contao is an open source content management system. Prior to version 4.13.40, when a frontend member changes their password in the personal data or the password lost module, the corresponding remember-me tokens are not removed. If someone compromises an account and is able to get a remember-me token, changing the password would not be enough to reclaim control over the account. Version 4.13.40 contains a fix for the issue. As a workaround, disable "Allow auto login" in the login module.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-04-09T16:45:57.132Z

Updated: 2024-08-02T01:32:07.058Z

Reserved: 2024-03-26T12:52:00.935Z

Link: CVE-2024-30262

cve-icon Vulnrichment

Updated: 2024-08-02T01:32:07.058Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-04-09T17:16:02.850

Modified: 2024-11-21T09:11:34.673

Link: CVE-2024-30262

cve-icon Redhat

No data.