Miggo Logo

CVE-2023-38489: Insufficient Session Expiration after a password change

7.3

CVSS Score
3.1

Basic Information

EPSS Score
0.37146%
Published
7/28/2023
Updated
11/7/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
getkirby/cmscomposer< 3.5.8.33.5.8.3
getkirby/cmscomposer>= 3.6.0, < 3.6.6.33.6.6.3
getkirby/cmscomposer>= 3.7.0, < 3.7.5.23.7.5.2
getkirby/cmscomposer>= 3.8.0, < 3.8.4.13.8.4.1
getkirby/cmscomposer>= 3.9.0, < 3.9.63.9.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from two key gaps: 1) Session validation in Auth::currentUserFromSession lacked password change timestamp checks, and 2) Login mechanisms didn't record essential timing metadata. The commit added passwordTimestamp() checks in Auth.php and login timestamp storage in User.php, confirming these were the missing protections. The test patches in AuthTest.php that validate() session invalidation after password changes further corroborate these functions' central role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### TL;*R T*is vuln*r**ility *****ts *ll Kir*y sit*s wit* us*r ***ounts (unl*ss Kir*y's *PI *n* P*n*l *r* *is**l** in t** *on*i*). It **n only ** **us** i* * Kir*y us*r is lo**** in on * **vi** or *rows*r t**t is s**r** wit* pot*nti*lly untrust** u

Reasoning

T** vuln*r**ility st*mm** *rom two k*y **ps: *) S*ssion v*li**tion in `*ut*::*urr*ntUs*r*romS*ssion` l**k** p*sswor* ***n** tim*st*mp ****ks, *n* *) Lo*in m****nisms *i*n't r**or* *ss*nti*l timin* m*t***t*. T** *ommit ***** `p*sswor*Tim*st*mp()` ****