CyberSecurity news
FlagThis
info@thehackernews.com (The@The Hacker News
//
A critical security vulnerability, CVE-2025-24859, has been discovered in Apache Roller, a widely used Java-based blogging platform. The flaw, which carries a CVSS score of 10.0, affects all versions from 1.0.0 up to and including 6.1.4. This vulnerability allows malicious actors to retain unauthorized access to blog sites even after a password change.
The core of the issue lies in insufficient session expiration. When a user or administrator changes a password, Apache Roller versions before 6.1.5 do not properly invalidate existing sessions. Consequently, any session tokens or cookies issued before the password change remain valid, creating a significant security risk. An attacker who has compromised a user’s credentials can maintain access to the application through the old session, effectively bypassing the intended protection of a password change.
Administrators and users of Apache Roller are strongly advised to upgrade to version 6.1.5 or later. This update implements centralized session management, ensuring that all active sessions are terminated immediately upon password changes or user deactivation. In related news, a critical vulnerability in Gladinet CentreStack also affects its Triofox remote access solution, leading to multiple organizations being compromised.
ImgSrc: blogger.googleu
References :
The core of the issue lies in insufficient session expiration. When a user or administrator changes a password, Apache Roller versions before 6.1.5 do not properly invalidate existing sessions. Consequently, any session tokens or cookies issued before the password change remain valid, creating a significant security risk. An attacker who has compromised a user’s credentials can maintain access to the application through the old session, effectively bypassing the intended protection of a password change.
Administrators and users of Apache Roller are strongly advised to upgrade to version 6.1.5 or later. This update implements centralized session management, ensuring that all active sessions are terminated immediately upon password changes or user deactivation. In related news, a critical vulnerability in Gladinet CentreStack also affects its Triofox remote access solution, leading to multiple organizations being compromised.
ImgSrc: blogger.googleu
Share:
References :
- Cyber Security News: A critical security vulnerability, CVE-2025-24859, has been discovered in Apache Roller, a widely used Java-based blogging platform.
- Anonymous ???????? :af:: A recently disclosed security flaw in Gladinet CentreStack also impacts its Triofox remote access and collaboration solution, according to Huntress, with seven different organizations compromised to date.
- securityaffairs.com: A critical vulnerability, tracked as CVE-2025-24859 (CVSS score of 10.0), affects the Apache Roller open-source, Java-based blogging server software.
- securityonline.info: A security vulnerability has been identified in Apache Roller, a Java-based blog server, that could allow unauthorized access
- The Hacker News: A critical security vulnerability has been disclosed in the Apache Roller open-source, Java-based blogging server software that could allow malicious actors to retain unauthorized access even after a password change.
Classification:
- HashTags: #Vulnerability #Patching #SoftwareSecurity
- Target: various organizations
- Type: Vulnerability
- Severity: Major