0.0
NA
CVE-2025-24859
Apache Roller Session Management Authentication Bypass
Description

A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes. When a user's password is changed, either by the user themselves or by an administrator, existing sessions remain active and usable. This allows continued access to the application through old sessions even after password changes, potentially enabling unauthorized access if credentials were compromised. This issue affects Apache Roller versions up to and including 6.1.4. The vulnerability is fixed in Apache Roller 6.1.5 by implementing centralized session management that properly invalidates all active sessions when passwords are changed or users are disabled.

INFO

Published Date :

April 14, 2025, 9:15 a.m.

Last Modified :

April 18, 2025, 4:15 p.m.

Source :

[email protected]

Remotely Exploitable :

No

Impact Score :

Exploitability Score :

Public PoC/Exploit Available at Github

CVE-2025-24859 has a 1 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

Affected Products

The following products are affected by CVE-2025-24859 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Apache roller
: Total Affected Vendor : 1 | Products : 1
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2025-24859.

URL Resource
https://lists.apache.org/thread/4j906k16v21kdx8hk87gl7663sw7lg7f
https://lists.apache.org/thread/vxv52vdr8nhtjlj6v02w43fdvo0cxw23
http://www.openwall.com/lists/oss-security/2025/04/11/1

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Profile Photo
ARPSyndicate/cve-scores

EPSS & VEDAS Score Aggregator for CVEs

cve vulnerability exploit epss vedas

Updated: 1 day, 11 hours ago
235 stars 34 fork 34 watcher
Born at : April 13, 2021, 4:50 a.m. This repo has been linked 131 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2025-24859 vulnerability anywhere in the article.

  • The Hacker News
⚡ THN Weekly Recap: iOS Zero-Days, 4Chan Breach, NTLM Exploits, WhatsApp Spyware & More

Cybersecurity / Hacking News Can a harmless click really lead to a full-blown cyberattack? Surprisingly, yes — and that's exactly what we saw in last week's activity. Hackers are getting better at hid ... Read more

Published Date: Apr 21, 2025 (10 hours, 49 minutes ago)
CVE-2025-1093 CVE-2025-3278 CVE-2025-2492 CVE-2025-32433 CVE-2025-31201 CVE-2025-31200 CVE-2025-24859 CVE-2025-24054 CVE-2024-43451 CVE-2021-20035
  • Cyber Security News
Cyber Security News Letter: Key Updates on Attacks, Vulnerabilities, & Data Breaches

Welcome to this week’s Cybersecurity Newsletter, where we provide the latest updates and critical insights from the swiftly changing realm of cybersecurity.This edition focuses on new threats and the ... Read more

Published Date: Apr 21, 2025 (20 hours, 1 minute ago)
CVE-2025-31201 CVE-2025-31200 CVE-2025-20236 CVE-2025-30100 CVE-2025-24859 CVE-2025-24076 CVE-2025-24054 CVE-2021-20035
  • TheCyberThrone
CVE-2025-24054 Critical NTLM Hash Flaw

CVE-2025-24054 is a high-severity NTLM authentication vulnerability that allows attackers to leak NTLMv2-SSP (Security Support Provider) hashes through spoofing techniques. The exploitation relies on ... Read more

Published Date: Apr 17, 2025 (4 days, 18 hours ago)
CVE-2025-3608 CVE-2025-24859 CVE-2025-24054 CVE-2025-21298
  • Dark Reading
Max Severity Bug in Apache Roller Enabled Persistent Access

Source: Piotr Swat va ShutterstockThe maintainers of the Apache Roller open source blogging platform patched a maximum severity bug that allowed continued access to the app even after a user changed t ... Read more

Published Date: Apr 15, 2025 (6 days ago)
CVE-2025-24859 CVE-2024-25090 CVE-2021-33580 CVE-2019-0234 CVE-2018-17198
  • The Hacker News
Critical Apache Roller Vulnerability (CVSS 10.0) Enables Unauthorized Session Persistence

Vulnerability / Software Security A critical security vulnerability has been disclosed in the Apache Roller open-source, Java-based blogging server software that could allow malicious actors to retain ... Read more

Published Date: Apr 15, 2025 (6 days, 7 hours ago)
CVE-2025-24859 CVE-2025-30065 CVE-2025-24813
  • Cyber Security News
Apache Roller Vulnerability Let Attackers Gain Unauthorized Access

A critical security vulnerability in Apache Roller has been discovered, allowing attackers to maintain unauthorized access to blog systems even after password changes. The vulnerability, CVE-2025-2485 ... Read more

Published Date: Apr 15, 2025 (6 days, 12 hours ago)
CVE-2025-24859 CVE-2014-0030 CVE-2013-4212
  • Daily CyberSecurity
Browser Wallet Flaws Allow Silent Crypto Drains Without User Interaction

Image: Coinspect A recent report by Coinspect has revealed critical vulnerabilities in popular browser wallets, raising significant concerns about the security of cryptocurrency holdings. The report w ... Read more

Published Date: Apr 15, 2025 (6 days, 20 hours ago)
CVE-2025-24859 CVE-2023-40580
  • Daily CyberSecurity
CVE-2025-24859 (CVSSv4 10): Apache Roller Flaw Exposes Blogs to Unauthorized Access

A security vulnerability has been identified in Apache Roller, a Java-based blog server, that could allow unauthorized access to affected blog sites. The vulnerability, tracked as CVE-2025-24859 (CVSS ... Read more

Published Date: Apr 15, 2025 (6 days, 20 hours ago)
CVE-2025-24859

The following table lists the changes that have been made to the CVE-2025-24859 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by [email protected]

    Apr. 18, 2025

    Action Type Old Value New Value
    Added CVSS V4.0 AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:X/RE:L/U:Amber
    Removed CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • New CVE Received by [email protected]

    Apr. 14, 2025

    Action Type Old Value New Value
    Added Description A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes. When a user's password is changed, either by the user themselves or by an administrator, existing sessions remain active and usable. This allows continued access to the application through old sessions even after password changes, potentially enabling unauthorized access if credentials were compromised. This issue affects Apache Roller versions up to and including 6.1.4. The vulnerability is fixed in Apache Roller 6.1.5 by implementing centralized session management that properly invalidates all active sessions when passwords are changed or users are disabled.
    Added CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
    Added CWE CWE-613
    Added Reference https://lists.apache.org/thread/4j906k16v21kdx8hk87gl7663sw7lg7f
    Added Reference https://lists.apache.org/thread/vxv52vdr8nhtjlj6v02w43fdvo0cxw23
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Apr. 14, 2025

    Action Type Old Value New Value
    Added Reference http://www.openwall.com/lists/oss-security/2025/04/11/1
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2025-24859 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2025-24859 weaknesses.

NONE - Vulnerability Scoring System
:
© cvefeed.io
Latest DB Update: Apr. 21, 2025 20:59