Kartik Patel

**Name of the Vulnerable Software and Affected Versions** Silverstripe silverstripe/framework versions 4.10 and earlier **Description** The issue allows session fixation, where unexpired SessionIDs of logged out users can still be used to make authenticated requests when the hybridsessions module is used without the session-manager module installed and sessions IDs are saved to disk. **Recommendations** For Silverstripe silverstripe/framework versions 4.10 and earlier, consider disabling the hybridsessions module until a patch is available, or ensure the session-manager module is installed to mitigate the risk of session fixation. Restrict access to session IDs saved to disk to minimize the risk of exploitation.