VYPR
Critical severityNVD Advisory· Published Nov 8, 2021· Updated Apr 30, 2025

Apostrophe - Insufficient Session Expiration

CVE-2021-25979

Description

Apostrophe CMS versions prior to 3.3.1 did not invalidate existing login sessions when disabling a user account or changing the password, creating a situation in which a device compromised by a third party could not be locked out by those means. As a mitigation for older releases the user account in question can be archived (3.x) or moved to the trash (2.x and earlier) which does disable the existing session.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
apostrophenpm
>= 2.63.0, < 3.4.03.4.0

Affected products

2

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.