PT-2020-18320 · Django · Django-User-Sessions

Bouke

Published

2020-01-24

Updated

2020-01-29

CVE-2020-5224

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions django-user-sessions versions prior to 1.7.1

Description The views provided by django-user-sessions allow users to terminate specific sessions, and the session key is included in the rendered HTML. This is not a problem in itself, but if the website has an XSS vulnerability, the session key could be extracted by the attacker, potentially leading to a session takeover.

Recommendations For versions prior to 1.7.1, remove the session key from the template as a workaround until a patch is available.

Fix

Improper Authentication

Inadequate Encryption Strength

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287CWE-326

Related Identifiers

CVE-2020-5224

GHSA-5FQ8-3Q2F-4M5G

PYSEC-2020-230

Affected Products

Django-User-Sessions

PT-2020-18320 · Django · Django-User-Sessions

CVE-2020-5224

Weakness Enumeration

Related Identifiers

Affected Products

References · 8