Contao is an open source content management system. Prior to version 4.13.40, when a frontend member changes their password in the personal data or the password lost module, the corresponding remember-me tokens are not removed. If someone compromises an account and is able to get a remember-me token, changing the password would not be enough to reclaim control over the account. Version 4.13.40 contains a fix for the issue. As a workaround, disable "Allow auto login" in the login module.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-04-09T16:45:57.132Z
Updated: 2024-08-02T01:32:07.058Z
Reserved: 2024-03-26T12:52:00.935Z
Link: CVE-2024-30262
Vulnrichment
Updated: 2024-08-02T01:32:07.058Z
NVD
Status : Awaiting Analysis
Published: 2024-04-09T17:16:02.850
Modified: 2024-11-21T09:11:34.673
Link: CVE-2024-30262
Redhat
No data.