Apostrophe CMS versions prior to 3.3.1 did not invalidate existing login sessions when disabling a user account or changing the password, creating a situation in which a device compromised by a third party could not be locked out by those means. As a mitigation for older releases the user account in question can be archived (3.x) or moved to the trash (2.x and earlier) which does disable the existing session.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| apostrophe(npm) | 2.63.0 | 3.4.0 | N/A |
CVSS Metrics
