6.5
CVE-2026-35192
- EPSS 0.04%
- Veröffentlicht 05.05.2026 16:16:12
- Zuletzt bearbeitet 07.05.2026 14:20:37
- Quelle 6a34fbeb-21d4-45e7-8e0a-62b95b
- CVE-Watchlists
- Unerledigt
Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Djangoproject ≫ Django Version >= 5.2 < 5.2.14
Djangoproject ≫ Django Version >= 6.0 < 6.0.5
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.04% | 0.132 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
|
| 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92 | 2.3 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-539 Use of Persistent Cookies Containing Sensitive Information
The web application uses persistent cookies, but the cookies contain sensitive information.