CVE Vulnerabilities

CVE-2020-12467

Session Fixation

Published: Apr 29, 2020 | Modified: May 01, 2020
CVSS 3.x
6.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS 2.x
6.4 MEDIUM
AV:N/AC:L/Au:N/C:P/I:P/A:N
RedHat/V2
RedHat/V3
Ubuntu

Subrion CMS 4.2.1 allows session fixation via an alphanumeric value in a session cookie.

Weakness

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Affected Software

Name Vendor Start Version End Version
Subrion Intelliants 4.2.1 (including) 4.2.1 (including)

Extended Description

Such a scenario is commonly observed when:

Potential Mitigations

References