by Leo Feyer

Remember-me tokens are not cleared after a password change

Date: 2024-04-09
CVE ID: CVE-2024-30262

When a front end member changes their password, the corresponding remember-me tokens are not removed.

Affected versions

Contao 4.0
Contao 4.1
Contao 4.2
Contao 4.3
Contao 4.4
Contao 4.5
Contao 4.6
Contao 4.7
Contao 4.8
Contao 4.9
Contao 4.10
Contao 4.11
Contao 4.12
Contao 4.13 up to 4.13.39

Suggested solution

Upgrade to Contao 4.13.40.

Workaround

Disable "Allow auto login" in the login module.

More information

https://github.com/contao/contao/security/advisories/GHSA-r4r6-j2j3-7pp5

Show all security advisories