Session Fixation Affecting tribalsystems/zenario package, versions >=0.0.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.07% (32nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PHP-TRIBALSYSTEMSZENARIO-3125786
  • published30 Nov 2022
  • disclosed18 Nov 2022
  • creditNgo Van Tu, Tran Thi Nho, Huynh Nhat Hao, Le Thi Huyen My

Introduced: 18 Nov 2022

CVE-2022-4231  (opens in a new tab)
CWE-384  (opens in a new tab)
First added by Snyk

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

tribalsystems/zenario is a Zenario is a web-based content management system for sites with one or many languages.

Affected versions of this package are vulnerable to Session Fixation such that the user session identifier (authentication token) is issued to the browser prior to authentication but is not changed after user logout and re-login into the application when Remember me option is active. Failing to issue a new session ID following a successful login introduces the possibility for an attacker to set up a trap session on the device the victim is likely to login with.

CVSS Scores

version 3.1