CyberSecurity news
FlagThis
@securityonline.info
//
A critical security vulnerability has been discovered in Apache Roller, a Java-based blogging server software. The flaw, identified as CVE-2025-24859 and carrying a maximum severity CVSS score of 10.0, allows attackers to retain unauthorized access even after a user changes their password. This session management issue affects Apache Roller versions up to and including 6.1.4, potentially exposing blogs to unauthorized actions and undermining the security measures intended by password changes.
The vulnerability stems from the failure to properly invalidate active user sessions when a password is changed, either by the user or an administrator. This means that an attacker who has compromised a user's credentials could maintain continued access through an old session, even after the user has taken steps to secure their account by changing their password. This poses a significant risk, as it could enable unauthorized individuals to access and manipulate blog content, potentially leading to data breaches or other malicious activities.
To address this critical flaw, Apache Roller version 6.1.5 has been released with a fix that implements centralized session management. This ensures that all active sessions are invalidated when passwords are changed or users are disabled, effectively preventing attackers from maintaining unauthorized access. Users of Apache Roller are strongly advised to upgrade to version 6.1.5 as soon as possible to mitigate the risk of exploitation and safeguard their blog sites from potential security breaches. The vulnerability was discovered and reported by security researcher Haining Meng.
ImgSrc: securityonline.
References :
The vulnerability stems from the failure to properly invalidate active user sessions when a password is changed, either by the user or an administrator. This means that an attacker who has compromised a user's credentials could maintain continued access through an old session, even after the user has taken steps to secure their account by changing their password. This poses a significant risk, as it could enable unauthorized individuals to access and manipulate blog content, potentially leading to data breaches or other malicious activities.
To address this critical flaw, Apache Roller version 6.1.5 has been released with a fix that implements centralized session management. This ensures that all active sessions are invalidated when passwords are changed or users are disabled, effectively preventing attackers from maintaining unauthorized access. Users of Apache Roller are strongly advised to upgrade to version 6.1.5 as soon as possible to mitigate the risk of exploitation and safeguard their blog sites from potential security breaches. The vulnerability was discovered and reported by security researcher Haining Meng.
ImgSrc: securityonline.
Share:
References :
- securityaffairs.com: Critical Apache Roller flaw allows to retain unauthorized access even after a password change
- securityonline.info: CVE-2025-24859 (CVSSv4 10): Apache Roller Flaw Exposes Blogs to Unauthorized Access
- The Hacker News: Critical Apache Roller Vulnerability (CVSS 10.0) Enables Unauthorized Session Persistence
- bsky.app: 10/10 CVSS in the Apache Roller blogging platform "active user sessions are not properly invalidated after password changes"
- ciso2ciso.com: Critical Apache Roller flaw allows to retain unauthorized access even after a password change – Source: securityaffairs.com
- lists.apache.org: Apache Roller Fails to Invalidate Sessions on Password Change (CVE-2025-24859)
Classification:
- HashTags: #ApacheRoller #Vulnerability #Cybersecurity
- Company: Apache
- Target: Apache Roller users
- Product: Roller
- Feature: Session Management
- Type: Vulnerability
- Severity: Critical