Inadequate Encryption Strength in Django User Sessions - CVE-2020-5224
Published: January 30, 2020
Vulnerability identifier: #VU24776
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2020-5224
CWE-ID: CWE-326
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Jazzband
Affected software:
Django User Sessions
Django User Sessions
Detailed vulnerability description
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the views provided allow users to terminate specific sessions. The session key is used to identify sessions, and thus included in the rendered HTML. In itself this is not a problem. However if the website has an XSS vulnerability, the session key could be extracted by the authenticated attacker and a session takeover could happen.
How to mitigate CVE-2020-5224
Install updates from vendor's website.