Session fixation in Ocrober CMS

1) Session Fixation

EUVDB-ID: #VU50409

Risk: Medium

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-3311

CWE-ID: CWE-384 - Session Fixation

Exploit availability: No

Description

The vulnerability allows a remote attacker to impersonate CMS users.

The vulnerability exists due to October CMS does not invalidate old session identifiers after user logout. A remote attacker with knowledge of any previous session identifier can reuse it by bypass authentication processed and gain unauthorized access to the application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

October CMS: 1.0.319 - 1.1.1

CPE2.3

• cpe:2.3:a:octobercms:october:1.0.319:*:*:*:*:*:*:*
• cpe:2.3:a:octobercms:october:1.0.320:*:*:*:*:*:*:*
• cpe:2.3:a:octobercms:october:1.0.321:*:*:*:*:*:*:*
• cpe:2.3:a:octobercms:october:1.0.322:*:*:*:*:*:*:*
• cpe:2.3:a:octobercms:october:1.0.323:*:*:*:*:*:*:*
• cpe:2.3:a:octobercms:october:1.0.324:*:*:*:*:*:*:*
• cpe:2.3:a:octobercms:october:1.0.325:*:*:*:*:*:*:*
• cpe:2.3:a:octobercms:october:1.0.326:*:*:*:*:*:*:*
• cpe:2.3:a:octobercms:october:1.0.327:*:*:*:*:*:*:*
• cpe:2.3:a:octobercms:october:1.0.328:*:*:*:*:*:*:*

External links

https://github.com/octobercms/library/commit/642f597489e6f644d4bd9a0c267e864cabead024
https://github.com/octobercms/october/security/advisories/GHSA-7ggw-h8pp-r95r

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.