CVE-2018-13337

Session Fixation in the web application for TerraMaster TOS version 3.1.03 allows attackers to control users session cookies via JavaScript.

Weakness

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Affected Software

Name	Vendor	Start Version	End Version
Terramaster_operating_system	Terra-master	3.1.03 (including)	3.1.03 (including)

Extended Description

Such a scenario is commonly observed when:

Potential Mitigations

https://cwe.mitre.org/data/definitions/196.html
https://cwe.mitre.org/data/definitions/21.html
https://cwe.mitre.org/data/definitions/31.html
https://cwe.mitre.org/data/definitions/39.html
https://cwe.mitre.org/data/definitions/59.html
https://cwe.mitre.org/data/definitions/60.html
https://cwe.mitre.org/data/definitions/61.html

References

https://blog.securityevaluators.com/vulnerabilities-in-terramaster-tos-3-1-03-fb99cf88b86a

NVD	https://nvd.nist.gov/vuln/detail/CVE-2018-13337
CWE	https://cwe.mitre.org/data/definitions/384.html

Session Fixation

Weakness

Affected Software

Extended Description

Potential Mitigations

Related Attack Patterns

References