In VOS user session identifier (authentication token) is issued to the browser prior to authentication but is not changed after the user successfully logs into the application. Failing to issue a new session ID following a successful login introduces the possibility for an attacker to set up a trap session on the device the victim is likely to login with.
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Versa_operating_system | Versa-networks | * | 16.1r2s11 (excluding) |
| Versa_operating_system | Versa-networks | 20.2.0 (including) | 20.2.2 (excluding) |
| Versa_operating_system | Versa-networks | 21.1.0 (including) | 21.1.1 (excluding) |
Such a scenario is commonly observed when:
In the generic exploit of session fixation vulnerabilities, an attacker creates a new session on a web application and records the associated session identifier. The attacker then causes the victim to associate, and possibly authenticate, against the server using that session identifier, giving the attacker access to the user’s account through the active session.