Main Vulnerability Database SB2021020801

SB2021020801 - Session fixation in Ocrober CMS

Published: February 8, 2021 Updated: March 8, 2021

Security Bulletin ID SB2021020801

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Session Fixation (CVE-ID: CVE-2021-3311)

The vulnerability allows a remote attacker to impersonate CMS users.

The vulnerability exists due to October CMS does not invalidate old session identifiers after user logout. A remote attacker with knowledge of any previous session identifier can reuse it by bypass authentication processed and gain unauthorized access to the application.

Remediation

Install update from vendor's website.

References

https://github.com/octobercms/library/commit/642f597489e6f644d4bd9a0c267e864cabead024
https://github.com/octobercms/october/security/advisories/GHSA-7ggw-h8pp-r95r