A significant security vulnerability has been identified in Apache Roller, a Java-based blogging server, affecting all versions up to 6.1.4. The issue, tracked as CVE-2025-24859, has a CVSS score of 10, indicating maximum severity. It allows active user sessions to remain valid even after password changes, posing serious risks of unauthorized access. Version 6.1.5 addresses this by enforcing centralized session management to invalidate all sessions post-password change. The discovery was made by security researcher Haining Meng. This vulnerability surfaces amidst other recent critical exploits in various Apache software components.
A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes.
Successful exploitation of the flaw could enable an attacker to maintain continued access to the application through old sessions even after password changes.
Collection
[
|
...
]