CVE-2022-0991 — Insufficient Session Expiration in Admidio

Description

Admidio prior to version 4.1.9 is vulnerable to insufficient session expiration. In vulnerable versions, changing the password in one session does not terminate sessions logged in with the old password, which could lead to unauthorized actors maintaining access to an account.

How to fix CVE-2022-0991

To remediate CVE-2022-0991, upgrade the affected package to a fixed version below.

—upgrade to 4.1.9 or later

Is CVE-2022-0991 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 4.1.9

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.2	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-0991
PATCHgithub.com/Admidio/admidio
WEBgithub.com/admidio/admidio/commit/e84e472ebe517e2ff5795c46dc10b5f49dc4d46a
WEBgithub.com/Admidio/admidio/issues/1238
WEB