Description
Apostrophe CMS versions between 2.63.0 to 3.3.1 affected by an insufficient session expiration vulnerability, which allows unauthenticated remote attackers to hijack recently logged-in users’ sessions. As a mitigation for older releases the user account in question can be archived (3.x) or moved to the trash (2.
Recommendation
Update the apostrophe package to the latest compatible version. Followings are version details:
- Affected version(s): >= 2.63.0, < 3.4.0
- Patched version(s): 3.4.0
References
Related Issues
- Strapi is vulnerable to Insufficient Session Expiration - CVE-2025-3930
- jsx-slack insufficient patch for CVE-2021-43838 ReDoS - CVE-2021-43843
- XSS vulnerability allowing arbitrary JavaScript execution - CVE-2021-41174
- LiveQuery publishes user session tokens in parse-server - CVE-2021-41109
- Tags:
- npm
- apostrophe
Anything's wrong? Let us know Last updated on February 03, 2023