Lucene search

GitHub Advisory DatabaseGHSA-6657-9743-4MC6

HistoryNov 30, 2022 - 12:30 p.m.

Tribal Systems Zenario CMS vulnerable to Session Fixation

2022-11-3012:30:20

CWE-384

GitHub Advisory Database

github.com

tribal systems

zenario cms

session fixation

vulnerability

authentication token

remote exploit

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

30.1%

JSON

Tribal Systems Zenario CMS 9.3.57595 is vulnerable to session fixation. In Zenario CMS, the user session identifier (authentication token) is issued to the browser prior to authentication but is not changed after user logout and login again into the application when “Remember me” option active. Failing to issue a new session ID following a successful login introduces the possibility for an attacker to set up a trap session on the device the victim is likely to login with. The attack may be initiated remotely and an exploit has been disclosed.

Affected configurations

Vulners

Node

tribalsystemszenarioRange≤9.3.57595

CPENameOperatorVersion
tribalsystems/zenariole9.3.57595

CPE	Name	Operator	Version
	tribalsystems/zenario	le	9.3.57595

References

github.com/advisories/GHSA-6657-9743-4mc6

github.com/lithonn/bug-report/tree/main/vendors/tribalsystems/zenario/session-fixation

nvd.nist.gov/vuln/detail/CVE-2022-4231

vuldb.com/?id.214589

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

30.1%

JSON

Related for GHSA-6657-9743-4MC6