Critical severityNVD Advisory· Published Nov 8, 2021· Updated Apr 30, 2025
Apostrophe - Insufficient Session Expiration
CVE-2021-25979
Description
Apostrophe CMS versions prior to 3.3.1 did not invalidate existing login sessions when disabling a user account or changing the password, creating a situation in which a device compromised by a third party could not be locked out by those means. As a mitigation for older releases the user account in question can be archived (3.x) or moved to the trash (2.x and earlier) which does disable the existing session.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apostrophenpm | >= 2.63.0, < 3.4.0 | 3.4.0 |
Affected products
2- Range: unspecified
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-9j9m-8wjc-ff96ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-25979ghsaADVISORY
- github.com/apostrophecms/apostrophe/commit/c211b211f9f4303a77a307cf41aac9b4ef8d2c7cghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.