Felipe Daragon

**Name of the Vulnerable Software and Affected Versions** CGILua versions 5.0.x **Description** The session.lua library uses sequential session IDs, making it easier for remote attackers to predict the session ID and hijack arbitrary sessions. **Recommendations** For CGILua versions 5.0.x, consider implementing a secure random session ID generation mechanism to prevent session hijacking. As a temporary workaround, consider regenerating session IDs at regular intervals to minimize the risk of exploitation.

The session.lua library in CGILua 5.2 alpha 1 and 5.2 alpha 2 uses weak session IDs generated based on OS time, which allows remote attackers to hijack arbitrary sessions via a brute force attack. NOTE: CVE-2014-10399 and CVE-2014-10400 were SPLIT from this ID.