The MFA management features did not properly terminate existing user sessions when a users MFA methods have been modified.
According to WASC, “Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.”
Name | Vendor | Start Version | End Version |
---|---|---|---|
Joomla! | Joomla | 3.2.0 (including) | 3.10.15 (excluding) |
Joomla! | Joomla | 4.0.0 (including) | 4.4.3 (excluding) |
Joomla! | Joomla | 5.0.0 (including) | 5.0.3 (excluding) |