Blueprintue Self Hosted Edition
Monthly
Account takeover in blueprintUE Self-Hosted Edition <4.2.0 allows authenticated attackers to permanently hijack any account by changing its password without current password verification. Attackers who obtain session access through XSS, session hijacking, physical access, or stolen cookies can immediately lock out legitimate users. The vulnerability requires low-privileged authentication (PR:L) but has high confidentiality and integrity impact, enabling full account control and data access. Fixed in version 4.2.0.
blueprintUE prior to version 4.2.0 fails to invalidate active user sessions when passwords are changed or reset, allowing attackers with compromised sessions to maintain indefinite account access even after the legitimate user detects the breach and changes their password. The attacker retains full account privileges until the session naturally expires (default 24 hours) or is manually cleared, creating a critical window where password changes provide no security benefit.
Account takeover in blueprintUE Self-Hosted Edition <4.2.0 allows authenticated attackers to permanently hijack any account by changing its password without current password verification. Attackers who obtain session access through XSS, session hijacking, physical access, or stolen cookies can immediately lock out legitimate users. The vulnerability requires low-privileged authentication (PR:L) but has high confidentiality and integrity impact, enabling full account control and data access. Fixed in version 4.2.0.
blueprintUE prior to version 4.2.0 fails to invalidate active user sessions when passwords are changed or reset, allowing attackers with compromised sessions to maintain indefinite account access even after the legitimate user detects the breach and changes their password. The attacker retains full account privileges until the session naturally expires (default 24 hours) or is manually cleared, creating a critical window where password changes provide no security benefit.