CVE-2020-4555

IBM Financial Transaction Manager 3.0.6 and 3.1.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 183328.

Weakness

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Affected Software

Extended Description

Such a scenario is commonly observed when:

Potential Mitigations

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/196.html
• https://cwe.mitre.org/data/definitions/21.html
• https://cwe.mitre.org/data/definitions/31.html
• https://cwe.mitre.org/data/definitions/39.html
• https://cwe.mitre.org/data/definitions/59.html
• https://cwe.mitre.org/data/definitions/60.html
• https://cwe.mitre.org/data/definitions/61.html

References

• https://exchange.xforce.ibmcloud.com/vulnerabilities/183328
• https://www.ibm.com/support/pages/node/6388702
• https://www.ibm.com/support/pages/node/6388704
• https://www.ibm.com/support/pages/node/6388706
• https://www.ibm.com/support/pages/node/6388708
• https://www.ibm.com/support/pages/node/6388722
• https://www.ibm.com/support/pages/node/6388744