CVE-2021-25981

moderate-risk
Published 2022-01-03

In Talkyard, regular versions v0.2021.20 through v0.2021.33 and dev versions v0.2021.20 through v0.2021.34, are vulnerable to Insufficient Session Expiration. This may allow an attacker to reuse the admin’s still-valid session token even when logged-out, to gain admin privileges, given the attacker is able to obtain that token (via other, hypothetical attacks)

Do I need to act?

~
2.1% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 33bd1b95687644a4665deeb18bf24db478c17c87, b0310df019887f3464895529c773bc7d85ddcf34, b0712915d8a22a20b09a129924e8a29c25ae5761
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Talkyard

Affected Vendors

Talkyard

References (6)

Patch https://github.com/debiki/talkyard/commit/b0310df019887f3464895529c773bc7d85ddcf...
Patch https://github.com/debiki/talkyard/commit/b0712915d8a22a20b09a129924e8a29c25ae57...
Patch https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25981
Patch https://github.com/debiki/talkyard/commit/b0310df019887f3464895529c773bc7d85ddcf...
Patch https://github.com/debiki/talkyard/commit/b0712915d8a22a20b09a129924e8a29c25ae57...
Patch https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25981
42
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 5/34 · Minimal
Exposure 5/34 · Minimal