CVE-2016-9125

EPSS 1.08%
Veröffentlicht 28.03.2017 02:59:00
Zuletzt bearbeitet 20.04.2025 01:37:25
Quelle support@hackerone.com
CVE-Watchlists
Login
Unerledigt
Login

Revive Adserver before 3.2.3 suffers from session fixation, by allowing arbitrary session identifiers to be forced and, at the same time, by not invalidating the existing session upon a successful authentication. Under some circumstances, that could have been an opportunity for an attacker to steal an authenticated session.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Revive-adserver ≫ Revive Adserver Version <= 3.2.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.08%	0.775

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-384 Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

https://www.revive-adserver.com/security/revive-sa-2016-001/

Patch

Vendor Advisory

https://github.com/revive-adserver/revive-adserver/commit/4910365631eabbb208961c36149f41cc8159fb39

Patch

Third Party Advisory

Issue Tracking

https://hackerone.com/reports/93809

Permissions Required

https://hackerone.com/reports/93813

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2016-9125