Session Fixation Affecting tribalsystems/zenario package, versions >=0.0.0
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-TRIBALSYSTEMSZENARIO-3125786
- published 30 Nov 2022
- disclosed 18 Nov 2022
- credit Ngo Van Tu, Tran Thi Nho, Huynh Nhat Hao, Le Thi Huyen My
Introduced: 18 Nov 2022
CVE-2022-4231 Open this link in a new tabHow to fix?
A fix was pushed into the master
branch but not yet published.
Overview
tribalsystems/zenario is a Zenario is a web-based content management system for sites with one or many languages.
Affected versions of this package are vulnerable to Session Fixation such that the user session identifier (authentication token) is issued to the browser prior to authentication but is not changed after user logout and re-login into the application when Remember me
option is active. Failing to issue a new session ID
following a successful login introduces the possibility for an attacker to set up a trap session on the device the victim is likely to login with.