CVE-2018-16495

EPSS 0.3%
Veröffentlicht 26.05.2021 19:15:08
Zuletzt bearbeitet 21.11.2024 03:52:52
Quelle support@hackerone.com
CVE-Watchlists
Login
Unerledigt
Login

In VOS user session identifier (authentication token) is issued to the browser prior to authentication but is not changed after the user successfully logs into the application. Failing to issue a new session ID following a successful login introduces the possibility for an attacker to set up a trap session on the device the victim is likely to login with.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Versa-networks ≫ Versa Operating System Version < 16.1r2s11

Versa-networks ≫ Versa Operating System Version >= 20.2.0 < 20.2.2

Versa-networks ≫ Versa Operating System Version >= 21.1.0 < 21.1.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.3%	0.505

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.5	8	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P

CWE-384 Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

https://hackerone.com/reports/1168192

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2018-16495

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-16495

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-16495

EUVD