How severe is CVE-2023-31140?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.5 out of 10.

What type of vulnerability is CVE-2023-31140?

This is classified as CWE-613, which is a common weakness in software security.

CVE-2023-31140 - MEDIUM Severity | CVSS 6.5

Vulnerability Description

OpenProject is open source project management software. Starting with version 7.4.0 and prior to version 12.5.4, when a user registers and confirms their first two-factor authentication (2FA) device for an account, existing logged in sessions for that user account are not terminated. Likewise, if an administrators creates a mobile phone 2FA device on behalf of a user, their existing sessions are not terminated. The issue has been resolved in OpenProject version 12.5.4 by actively terminating sessions of user accounts having registered and confirmed a 2FA device. As a workaround, users who register the first 2FA device on their account can manually log out to terminate all other active sessions. This is the default behavior of OpenProject but might be disabled through a configuration option. Double check that this option is not overridden if one plans to employ the workaround.

Related Vulnerabilities

CVE-2017-1000131

MEDIUM

CVSS:6.5(Medium)

Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before 16.04.2 are vulnerable to users staying logged in to their Mahara account even when they have been logged out of Moodle (when usin...

CWE-6132017

CVE-2017-1000135

MEDIUM

CVSS:6.5(Medium)

Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable as logged-in users can stay logged in after the institution they belong to is suspended.

CWE-6132017

CVE-2017-1000136

MEDIUM

CVSS:6.5(Medium)

Mahara 1.8 before 1.8.6 and 1.9 before 1.9.4 and 1.10 before 1.10.1 and 15.04 before 15.04.0 are vulnerable to old sessions not being invalidated after a password change.

CWE-6132017

CVE-2018-1000814

MEDIUM

CVSS:6.5(Medium)

aio-libs aiohttp-session version 2.6.0 and earlier contains a Other/Unknown vulnerability in EncryptedCookieStorage and NaClCookieStorage that can result in Non-expiring sessions / Infinite lifespan. ...

CWE-6132018

CVE-2018-7758

MEDIUM

CVSS:6.5(Medium)

A denial of service vulnerability exists in Schneider Electric's MiCOM Px4x (P540 range excluded) with legacy Ethernet board, MiCOM P540D Range with Legacy Ethernet Board, and MiCOM Px4x Rejuvenated c...

CWE-6132018

CVE-2019-16133

MEDIUM

CVSS:6.5(Medium)

An issue was discovered in eteams OA v4.0.34. Because the session is not strictly checked, the account names and passwords of all employees in the company can be obtained by an ordinary account. Speci...

CWE-6132019