5.5

CVE-2023-26288

IBM Aspera Orchestrator session fixation

IBM Aspera Orchestrator 4.0.1 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system.  IBM X-Force ID:  248477.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
IbmAspera Orchestrator Version4.0.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.23% 0.133
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 2.1 3.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
psirt@us.ibm.com 5.5 2.1 3.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
CWE-613 Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

https://exchange.xforce.ibmcloud.com/vulnerabilities/248477
Vendor Advisory
VDB Entry
https://www.ibm.com/support/pages/node/7161538
Vendor Advisory