CVE-2022-24444

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Silverstripe silverstripe/framework versions 4.10 and earlier

Description The issue allows session fixation, where unexpired SessionIDs of logged out users can still be used to make authenticated requests when the hybridsessions module is used without the session-manager module installed and sessions IDs are saved to disk.

Recommendations For Silverstripe silverstripe/framework versions 4.10 and earlier, consider disabling the hybridsessions module until a patch is available, or ensure the session-manager module is installed to mitigate the risk of session fixation. Restrict access to session IDs saved to disk to minimize the risk of exploitation.

Exploit

Fix

Session Fixation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-384

Related Identifiers

BIT-SILVERSTRIPE-2022-24444

CVE-2022-24444

GHSA-C7Q8-M4XW-C674

Affected Products

Silverstripe/Framework

CVE-2022-24444

Weakness Enumeration

Related Identifiers

Affected Products

References · 12