Max Severity Bug in Apache Roller Enabled Persistent Access www.darkreading.com/vulnerabi…

The maintainers of the Apache Roller open source blogging platform patched a maximum severity bug that allowed continued access to the app even after a user changed their password. The issue had to do with insufficient session expiration, a vulnerability that occurs when a system or app fails to invalidate an existing user’s active session after a password change. The Apache Software Foundation (ASF) has implemented a new centralized session management feature that correctly invalidates all active user sessions when a password is changed, or a user disables their account.