CVE-2020-5224
Session key exposure through session list in Django User Sessions
6.5
MEDIUM
CVSS 3.1
EPSS 0.12%
描述
In Django User Sessions (django-user-sessions) before 1.7.1, the views provided allow users to terminate specific sessions. The session key is used to identify sessions, and thus included in the rendered HTML. In itself this is not a problem. However if the website has an XSS vulnerability, the session key could be extracted by the attacker and a session takeover could happen.
如何修補 CVE-2020-5224
要修補 CVE-2020-5224,請將受影響套件升級到下列已修補版本。
- —升級至 1.7.1 或更新版本
- —升級至 f0c4077e7d1436ba6d721af85cee89222ca5d2d9 或更新版本
CVE-2020-5224 正在被利用嗎?
低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。
受影響套件(2)
- from 0, < 1.7.1
- from 0, < f0c4077e7d1436ba6d721af85cee89222ca5d2d9 | from 0, < 1.7.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N |
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N |