Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS02NjU3LTk3NDMtNG1jNs4AAwF4

Tribal Systems Zenario CMS vulnerable to Session Fixation

Tribal Systems Zenario CMS 9.3.57595 is vulnerable to session fixation. In Zenario CMS, the user session identifier (authentication token) is issued to the browser prior to authentication but is not changed after user logout and login again into the application when "Remember me" option active. Failing to issue a new session ID following a successful login introduces the possibility for an attacker to set up a trap session on the device the victim is likely to login with. The attack may be initiated remotely and an exploit has been disclosed.

Permalink: https://github.com/advisories/GHSA-6657-9743-4mc6
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02NjU3LTk3NDMtNG1jNs4AAwF4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: about 1 year ago

CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Identifiers: GHSA-6657-9743-4mc6, CVE-2022-4231
References:

• https://nvd.nist.gov/vuln/detail/CVE-2022-4231
• https://github.com/lithonn/bug-report/tree/main/vendors/tribalsystems/zenario/session-fixation
• https://vuldb.com/?id.214589
• https://github.com/advisories/GHSA-6657-9743-4mc6

Repository: https://github.com/lithonn/bug-report
Blast Radius: 0.0

Affected Packages