Camaleon CMS - Insufficient Session Expiration after Password Change
Description
Camaleon CMS 0.1.7 to 2.6.0 doesn’t terminate the active session of the users, even after the admin changes the user’s password. A user that was already logged in, will still have access to the application even after the password was changed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Camaleon CMS 0.1.7 to 2.6.0 fails to invalidate active sessions after a password change, allowing continued access.
Vulnerability
Camaleon CMS versions 0.1.7 through 2.6.0 do not terminate active user sessions after an administrator changes the user's password. The session remains valid because the application does not invalidate the old auth_token stored in the cookie. This affects all users whose passwords are changed by an admin, including the user themselves if they change their own password via the profile form. The issue is present in the session handling logic within the cama_current_user method and the updated_ajax action [1][3].
Exploitation
An attacker who already has an active session (e.g., via a stolen or previously valid cookie) can continue to access the application even after the account password is changed by an administrator. No additional authentication or user interaction is required; the existing cookie remains valid. The attacker simply uses the same auth_token cookie to make requests, and the server accepts it because the token is not rotated or invalidated upon password change [1][3].
Impact
Successful exploitation allows an attacker with a valid session to maintain unauthorized access to the affected Camaleon CMS instance indefinitely after a password change. This can lead to information disclosure, data modification, or privilege escalation depending on the attacker's original role. The session retains the same privileges as before the password change, so an attacker could continue to perform actions as the compromised user [1][3].
Mitigation
The vulnerability is fixed in commit 77e31bc6cdde7c951fba104aebcd5ebb3f02b030 [3]. The fix ensures that when a password is changed, all existing sessions for that user are invalidated except the session that performed the change. The patch modifies the updated_ajax action to call update_auth_token_in_cookie and updates the cama_current_user method to use the first token from the cookie. Users should upgrade to a version containing this fix (likely after 2.6.0). No workaround is documented; upgrading is the recommended action [3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
camaleon_cmsRubyGems | >= 0.1.7, < 2.6.0.1 | 2.6.0.1 |
Affected products
2- camaleon_cms/camaleon_cmsv5Range: 0.1.7
Patches
177e31bc6cddeLogout user on password change, except in the session making the change
3 files changed · +32 −5
app/controllers/camaleon_cms/admin/users_controller.rb+16 −1 modified@@ -46,7 +46,22 @@ def update # update som ajax requests from profile or user form def updated_ajax @user = current_site.users.find(params[:user_id]) - render inline: @user.update(params.require(:password).permit!) ? "" : @user.errors.full_messages.join(', ') + update_session = current_user_is?(@user) + @user.update(params.require(:password).permit!) + render inline: @user.errors.full_messages.join(', ') + # keep user logged in when changing their own password + update_auth_token_in_cookie @user.auth_token if update_session && @user.saved_change_to_password_digest? + end + + def update_auth_token_in_cookie(token) + return unless cookie_auth_token_complete? + current_token = cookie_split_auth_token + updated_token = [token, *current_token[1..-1]] + cookies[:auth_token] = updated_token.join("&") + end + + def current_user_is?(user) + user_auth_token_from_cookie == user.auth_token rescue false end def edit
app/helpers/camaleon_cms/session_helper.rb+14 −4 modified@@ -120,11 +120,21 @@ def cama_current_user @cama_current_user = cama_calc_api_current_user return @cama_current_user if @cama_current_user - return nil unless cookies[:auth_token].present? - c = cookies[:auth_token].split("&") - return nil unless c.size == 3 + return nil unless cookie_auth_token_complete? - @cama_current_user = current_site.users_include_admins.find_by_auth_token(c[0]).try(:decorate) + @cama_current_user = current_site.users_include_admins.find_by_auth_token(user_auth_token_from_cookie).try(:decorate) + end + + def cookie_auth_token_complete? + cookie_split_auth_token&.size == 3 + end + + def cookie_split_auth_token + cookies[:auth_token]&.split("&") + end + + def user_auth_token_from_cookie + cookie_split_auth_token.first end # check if a visitor was logged in
app/models/concerns/camaleon_cms/user_methods.rb+2 −0 modified@@ -11,6 +11,8 @@ module CamaleonCms::UserMethods extend ActiveSupport::Concern before_destroy :reassign_posts after_destroy :reassign_comments before_create { generate_token(:auth_token) } + # invaliidate sessions when changing password + before_update { generate_token :auth_token if will_save_change_to_password_digest? } # relations cama_define_common_relationships('User')
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-438x-2p9v-g8h9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-25970ghsaADVISORY
- github.com/owen2345/camaleon-cms/commit/77e31bc6cdde7c951fba104aebcd5ebb3f02b030ghsax_refsource_MISCWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2021-25970.ymlghsaWEB
- www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25970ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.