#VU24776 Inadequate Encryption Strength in Django User Sessions - CVE-2020-5224
Published: January 30, 2020
Vulnerability identifier: #VU24776
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2020-5224
CWE-ID: CWE-326
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Django User Sessions
Django User Sessions
Software vendor:
Jazzband
Jazzband
Description
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the views provided allow users to terminate specific sessions. The session key is used to identify sessions, and thus included in the rendered HTML. In itself this is not a problem. However if the website has an XSS vulnerability, the session key could be extracted by the authenticated attacker and a session takeover could happen.
Remediation
Install updates from vendor's website.