Description
Apostrophe CMS versions prior to 3.3.1 did not invalidate existing login sessions when disabling a user account or changing the password, creating a situation in which a device compromised by a third party could not be locked out by those means. As a mitigation for older releases the user account in question can be archived (3.x) or moved to the trash (2.x and earlier) which does disable the existing session.
Remediation
References
https://github.com/apostrophecms/apostrophe/commit/c211b211f9f4303a77a307cf41aac9b4ef8d2c7c
Related Vulnerabilities
CVE-2022-31175 Vulnerability in npm package @ckeditor/ckeditor5-html-support
CVE-2017-10355 Vulnerability in maven package xerces:xercesimpl
CVE-2015-0250 Vulnerability in maven package org.eclipse.birt.runtime.3_7_1:org.apache.batik.dom
CVE-2020-28470 Vulnerability in npm package @scullyio/scully
CVE-2022-41915 Vulnerability in maven package io.netty:netty-codec