Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02NjU3LTk3NDMtNG1jNs4AAwF4
Tribal Systems Zenario CMS vulnerable to Session Fixation
Tribal Systems Zenario CMS 9.3.57595 is vulnerable to session fixation. In Zenario CMS, the user session identifier (authentication token) is issued to the browser prior to authentication but is not changed after user logout and login again into the application when "Remember me" option active. Failing to issue a new session ID following a successful login introduces the possibility for an attacker to set up a trap session on the device the victim is likely to login with. The attack may be initiated remotely and an exploit has been disclosed.
Permalink: https://github.com/advisories/GHSA-6657-9743-4mc6JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02NjU3LTk3NDMtNG1jNs4AAwF4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 6 months ago
Updated: 4 months ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Identifiers: GHSA-6657-9743-4mc6, CVE-2022-4231
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-4231
- https://github.com/lithonn/bug-report/tree/main/vendors/tribalsystems/zenario/session-fixation
- https://vuldb.com/?id.214589
- https://github.com/advisories/GHSA-6657-9743-4mc6
Affected Packages
packagist:tribalsystems/zenario
Versions: <= 9.3.57595No known fixed version