CVE-2021-25966
📋 TL;DR
This vulnerability in Orchard Core CMS allows users who were already logged in to maintain access even after their password has been changed. This affects all users of vulnerable versions and can lead to unauthorized access when passwords are changed due to security concerns or user management.
💻 Affected Systems
- Orchard Core CMS
📦 What is this software?
Orchard Core by Orchardcore
Orchard Core by Orchardcore
⚠️ Risk & Real-World Impact
Worst Case
An attacker who has compromised a user account maintains persistent access even after the legitimate user changes their password, allowing continued data theft, privilege escalation, or system compromise.
Likely Case
Legitimate users who should have been logged out after password changes retain access, potentially violating security policies and allowing unauthorized actions if the password change was security-related.
If Mitigated
With proper session management controls, users are automatically logged out upon password changes, preventing unauthorized access.
🎯 Exploit Status
Exploitation requires an attacker to already have valid credentials and maintain an active session while the password is changed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.0.0
Vendor Advisory: https://github.com/OrchardCMS/OrchardCore/security/advisories
Restart Required: Yes
Instructions:
1. Upgrade to Orchard Core CMS version newer than 1.0.0. 2. Restart the application. 3. Verify the fix by testing password change functionality.
🔧 Temporary Workarounds
Manual Session Invalidation
allManually invalidate all user sessions after password changes by clearing session data or requiring re-authentication.
Implementation requires code changes to session management logic
🧯 If You Can't Patch
- Implement additional authentication factors (MFA) to reduce risk of unauthorized access
- Monitor for unusual user activity and implement session timeout policies
🔍 How to Verify
Check if Vulnerable:
Check Orchard Core CMS version. If between 1.0.0-beta1-3383 and 1.0.0 inclusive, the system is vulnerable.Check Version:
Check the Orchard Core CMS admin panel or application configuration for version information.Verify Fix Applied:
After patching, test by: 1. Log in as a user. 2. Change that user's password. 3. Verify the original session is terminated and requires re-authentication.📡 Detection & Monitoring
Log Indicators:
- Multiple successful logins from same user after password change
- Password change events without subsequent logout events
Network Indicators:
- Sustained authenticated sessions after password reset requests
SIEM Query:
Search for: 'password changed' AND NOT 'session terminated' within short time window🔗 References
- https://github.com/OrchardCMS/OrchardCore/blob/v1.0.0/src/OrchardCore.Modules/OrchardCore.Users/Controllers/ResetPasswordController.cs#L123
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25966
- https://github.com/OrchardCMS/OrchardCore/blob/v1.0.0/src/OrchardCore.Modules/OrchardCore.Users/Controllers/ResetPasswordController.cs#L123
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25966
