PT-2019-11396 · Pydio · Pydio

Published

2019-05-31

Updated

2019-06-03

CVE-2019-10045

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions: Pydio versions through 8.2.2

Description: The issue in the web application allows the disclosure of the session cookie value in the response body when the action get sess id is invoked. This enables scripts to access the session cookie value, which can be reused by an attacker to impersonate a user and perform actions on their behalf if the session is still active.

Recommendations: For versions through 8.2.2, as a temporary workaround, consider restricting access to the get sess id action in the web application to minimize the risk of session cookie disclosure. At the moment, there is no information about a newer version that contains a fix for this issue.

Exploit

Fix

Session Fixation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-384

Related Identifiers

CVE-2019-10045

Affected Products

Pydio

PT-2019-11396 · Pydio · Pydio

CVE-2019-10045

Weakness Enumeration

Related Identifiers

Affected Products

References · 3