PT-2018-14426 · Bigtree · Bigtree
Juttikhun Khamchaiyaphum
·
Published
2018-10-19
·
Updated
2019-01-25
·
CVE-2018-18380
CVSS v2.0
5.8
Medium
| Vector | AV:N/AC:M/Au:N/C:P/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
Bigtree versions prior to 4.2.24
Description
A Session Fixation issue allows an attacker to hijack an admin session by accepting a user-provided PHP session ID instead of regenerating a new one after a user has logged in to the application.
Recommendations
For versions prior to 4.2.24, update to version 4.2.24 or later to resolve the issue. As a temporary workaround, consider regenerating a new PHP session ID after a user has logged in to the application to prevent session fixation.
Fix
Session Fixation
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Bigtree