9.8
CVE-2026-38968
- EPSS 0.38%
- Veröffentlicht 02.07.2026 00:00:00
- Zuletzt bearbeitet 08.07.2026 18:39:19
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
ntopng through 6.6 is vulnerable to Predictable Session Identifier which can lead to Session Hijacking. HTTP session identifiers in src/HTTPserver.cpp use weak time-seeded pseudo-randomness during session creation. As a result, fresh authenticated logins can receive deterministic or colliding session cookies under attacker-controlled timing.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.38% | 0.299 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-341 Predictable from Observable State
A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc.
https://github.com/ntop/ntopng/commit/179a346ceb6239fd36128ccca3efa8f9ea61eeb5
https://github.com/ntop/ntopng/commit/14e22497233dc7d31d19dccb74b13bb073d16c2c