CVE-2022-43687 Concrete CMS 9.0.0 - 9.1.2 does not issue a new session ID upon successful OAuth authentication.

CVE-2022-43687 Concrete CMS 9.0.0 - 9.1.2 does not issue a new session ID upon successful OAuth authentication.

If you have a lot of end users who don’t keep their login details up to date, this issue can lead to situations where a user’s account is active but they cannot access any of the site’s content. To resolve this issue, update to the latest version of Concrete CMS and restart your server. If you are still experiencing this issue, consider setting up an OAuth 2.0 server to ensure that all of your login information is stored securely. Learn more about how to securely store login details in OAuth 2.0 end user accounts. Concrete CMS above 8.5.10 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. If you are using Concrete as your main CMS, but you are using another application as a frontend, you can get an error message like "This session has been invalidated. Please try again". This issue has been fixed in version 8.5.10.

Concrete CMS above 8.5.10 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. Can't login to the backend. This issue has been fixed in version 8.5.10.

Concrete CMS above 8.5.10 does not issue a new session ID upon

Concrete CMS VCS Limitations

If you are using Concrete CMS for your main Content Management System (CMS), but you are using another application as a frontend, you may get an error message like "This session has been invalidated. Please try again". This issue has been fixed in version 8.5.10.

Concrete CMS VCS Limitations

Concrete CMS 9.1.3+ or 8.5.10+

Concrete CMS version  8.5.10

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe