CVE-2022-4231

MEDIUM5.4EPSS 0.21%

Tribal Systems Zenario CMS vulnerable to Session Fixation

發布日:2022/11/30修改日:2023/11/8

描述

Tribal Systems Zenario CMS 9.3.57595 is vulnerable to session fixation. In Zenario CMS, the user session identifier (authentication token) is issued to the browser prior to authentication but is not changed after user logout and login again into the application when "Remember me" option active. Failing to issue a new session ID following a successful login introduces the possibility for an attacker to set up a trap session on the device the victim is likely to login with. The attack may be initiated remotely and an exploit has been disclosed.

受影響套件(1)

Packagist/tribalsystems/zenariofrom 0, <= 9.3.57595

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-4231
PATCHhttps://github.com/TribalSystems/Zenario
WEBhttps://github.com/lithonn/bug-report/tree/main/vendors/tribalsystems/zenario/session-fixation
WEBhttps://vuldb.com/?id.214589