Lucene search

Veracode Vulnerability DatabaseVERACODE:46316

HistoryApr 10, 2024 - 11:03 a.m.

Session Fixation

2024-04-1011:03:07

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

vulnerability session fixation personal data password lost compromised accounts access@responsebodysoftware

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

7.1 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.0%

JSON

contao/core-bundle is vulnerable to Session Fixation. The vulnerability is due to a flaw in the personal data and password lost modules. allowing compromised accounts to retain access even after password changes.

CPENameOperatorVersion
contao/core-bundlele4.13.39
contao/core-bundlele4.13.39

CPE	Name	Operator	Version
	contao/core-bundle	le	4.13.39
	contao/core-bundle	le	4.13.39

References

contao.org/en/security-advisories/remember-me-tokens-are-not-cleared-after-a-password-change

github.com/contao/contao/commit/3032baa456f607169ffae82a8920354adb338fe9

github.com/contao/contao/security/advisories/GHSA-r4r6-j2j3-7pp5

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

7.1 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.0%

JSON

Related for VERACODE:46316