8.8
CVE-2020-5224
- EPSS 0.44%
- Veröffentlicht 24.01.2020 20:15:10
- Zuletzt bearbeitet 21.11.2024 05:33:42
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginSession key exposure through session list in Django User Sessions
In Django User Sessions (django-user-sessions) before 1.7.1, the views provided allow users to terminate specific sessions. The session key is used to identify sessions, and thus included in the rendered HTML. In itself this is not a problem. However if the website has an XSS vulnerability, the session key could be extracted by the attacker and a session takeover could happen.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Django-user-sessions Project ≫ Django-user-sessions Version < 1.7.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.44% | 0.349 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 4 | 8 | 2.9 |
AV:N/AC:L/Au:S/C:P/I:N/A:N
|
| security-advisories@github.com | 6.5 | 1.3 | 4.7 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N
|
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-326 Inadequate Encryption Strength
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
https://github.com/Bouke/django-user-sessions/security/advisories/GHSA-5fq8-3q2f-4m5g
https://github.com/jazzband/django-user-sessions/commit/f0c4077e7d1436ba6d721af85cee89222ca5d2d9