Session Fixation Affecting tribalsystems/zenario package, versions >=0.0.0


0.0
medium

Snyk CVSS

    Exploit Maturity Proof of concept
    Attack Complexity Low
    User Interaction Required
Expand this section
NVD
5.4 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PHP-TRIBALSYSTEMSZENARIO-3125786
  • published 30 Nov 2022
  • disclosed 18 Nov 2022
  • credit Ngo Van Tu, Tran Thi Nho, Huynh Nhat Hao, Le Thi Huyen My

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

tribalsystems/zenario is a Zenario is a web-based content management system for sites with one or many languages.

Affected versions of this package are vulnerable to Session Fixation such that the user session identifier (authentication token) is issued to the browser prior to authentication but is not changed after user logout and re-login into the application when Remember me option is active. Failing to issue a new session ID following a successful login introduces the possibility for an attacker to set up a trap session on the device the victim is likely to login with.