CRITICAL🇵🇱 Wersja polska

CVE-2024-13280

CVSS 9.8v3.1pub. 2025-01-09upd. 2025-09-02

Insufficient Session Expiration vulnerability in Drupal Persistent Login allows Forceful Browsing.This issue affects Persistent Login: from 0.0.0 before 1.8.0, from 2.0.* before 2.2.2.

🤖 AI Analysis
How it works

The vulnerability consists in the fact that user sessions are not properly invalidated after their expiration or logout, which is characteristic of CWE-613. An attacker can exploit the Forceful Browsing technique — which is an attempt to directly access protected resources using still active, although formally invalid session tokens or persistent login cookies. In practice, this means that even after a user logs out or the intended session time expires, the persistent login mechanism does not effectively invalidate the issued tokens.

Impact

An unauthenticated attacker can gain unauthorized access to another user's account and perform actions on their behalf, leading to violations of confidentiality, integrity, and data availability. In the case of session hijacking of an account with high privileges, complete takeover of the Drupal application is possible.

Mitigation & patch

The Persistent Login module should be updated to version 1.8.0 or later (for the 1.x branch) or to version 2.2.2 or later (for the 2.x branch). Detailed information is available in the Drupal security advisory: https://www.drupal.org/sa-contrib-2024-044.

Who is affected

Drupal Persistent Login module in versions from 0.0.0 before 1.8.0 and in versions of the 2.0.x branch before 2.2.2.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Persistent Login Project Persistent Login

    APP
    Persistent Login Project
    < 1.8.02.0.0 – 2.1.1 (bez)2.2.0 – 2.2.2 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References