Session fixation in Ocrober CMS



| Updated: 2021-03-08
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2021-3311
CWE-ID CWE-384
Exploitation vector Network
Public exploit N/A
Vulnerable software
October CMS
Web applications / CMS

Vendor OctoberCMS

Security Bulletin

This security bulletin contains information about 1 vulnerabilities.

Updated 08.03.2021

Added fixed version.

1) Session Fixation

EUVDB-ID: #VU50409

Risk: Medium

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-3311

CWE-ID: CWE-384 - Session Fixation

Exploit availability: No

Description

The vulnerability allows a remote attacker to impersonate CMS users.

The vulnerability exists due to October CMS does not invalidate old session identifiers after user logout. A remote attacker with knowledge of any previous session identifier can reuse it by bypass authentication processed and gain unauthorized access to the application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

October CMS: 1.0.319 - 1.1.1

CPE2.3 External links

https://github.com/octobercms/library/commit/642f597489e6f644d4bd9a0c267e864cabead024
https://github.com/octobercms/october/security/advisories/GHSA-7ggw-h8pp-r95r


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###