Main Vulnerability Database Vulnerabilities #VU50409

Session Fixation in October CMS - CVE-2021-3311

Published: February 5, 2021 / Updated: March 8, 2021

Vulnerability identifier: #VU50409

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2021-3311

CWE-ID: CWE-384

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
October CMS

Software vendor:
OctoberCMS

Description

The vulnerability allows a remote attacker to impersonate CMS users.

The vulnerability exists due to October CMS does not invalidate old session identifiers after user logout. A remote attacker with knowledge of any previous session identifier can reuse it by bypass authentication processed and gain unauthorized access to the application.

Remediation

Install update from vendor's website.

External links

https://github.com/octobercms/library/commit/642f597489e6f644d4bd9a0c267e864cabead024
https://github.com/octobercms/october/security/advisories/GHSA-7ggw-h8pp-r95r

Session Fixation in October CMS - CVE-2021-3311

Description

Remediation

External links

Please verify you're human