Lucene search

Veracode Vulnerability DatabaseVERACODE:38014

HistoryNov 16, 2022 - 4:07 a.m.

Insecure Session Management

2022-11-1604:07:39

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

concrete cms

vulnerability

session management

genericoauthtypecontroller.php

oauth

authentication

0.001 Low

EPSS

Percentile

46.8%

JSON

Concrete CMS is vulnerable to insecure sessions management. The vulnerability exists in the attemptAuthentication function in GenericOauthTypeController.php where it does not issue a new session ID upon successful OAuth authentication.

CPENameOperatorVersion
concrete5/corele8.5.9
concrete5/corele9.1.2
concrete5/concrete5le8.5.9
concrete5/concrete5le9.1.2
concrete5/corele8.5.9
concrete5/corele9.1.2
concrete5/concrete5le8.5.9
concrete5/concrete5le9.1.2

Name	Operator	Version
concrete5/core	le	8.5.9
concrete5/core	le	9.1.2
concrete5/concrete5	le	8.5.9
concrete5/concrete5	le	9.1.2
concrete5/core	le	8.5.9
concrete5/core	le	9.1.2
concrete5/concrete5	le	8.5.9
concrete5/concrete5	le	9.1.2

References

documentation.concretecms.org/developers/introduction/version-history/8510-release-notes

documentation.concretecms.org/developers/introduction/version-history/913-release-notes

github.com/advisories/GHSA-m53v-5x5x-5m2p

github.com/concretecms/concretecms-core/commit/6f9e32b8ebdfcc79d47df57785e7ea9109fe60b7

github.com/concretecms/concretecms-core/commit/94beb230c8c4b138ec3c6265b5037fd5ad08bb22

github.com/concretecms/concretecms/commit/87d0966e2654bfb6e2a0a459a670926a72bf73bb

github.com/concretecms/concretecms/commit/92e0025f229e4b237b7d53507f771c2f9027fba3

github.com/concretecms/concretecms/pull/10991

github.com/concretecms/concretecms/releases/8.5.10

github.com/concretecms/concretecms/releases/9.1.3

www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31

0.001 Low

EPSS

Percentile

46.8%

JSON

Related for VERACODE:38014