CVE-2023-38489

CVSS 3.1 Score 7.3 of 10 (high)

Details

Published Jul 27, 2023
Updated: Aug 3, 2023
CWE ID 613

Summary

CVE-2023-38489 is a vulnerability affecting Kirby, a content management system. This issue, present in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6, poses a risk for sites with user accounts. The flaw is related to insufficient session expiration, enabling attackers to maintain unauthorized access even after a user changes their password. Kirby failed to invalidate user sessions with old passwords, leaving affected sites vulnerable. The vulnerability can be exploited when users share devices or browsers with potentially untrusted individuals or when attackers use previously stolen passwords. The latest releases, Kirby 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6, include a patch to address this issue by keeping track of the hashed password in each active session. Upon updating, all users are logged out to enforce the fix.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share