CVE-2022-4231 – tribalsystems/zenario

Package

Manager: composer
Name: tribalsystems/zenario
Vulnerable Version: >=0 <=9.3.57595

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00101 pctl0.28486

Details

Tribal Systems Zenario CMS vulnerable to Session Fixation Tribal Systems Zenario CMS 9.3.57595 is vulnerable to session fixation. In Zenario CMS, the user session identifier (authentication token) is issued to the browser prior to authentication but is not changed after user logout and login again into the application when "Remember me" option active. Failing to issue a new session ID following a successful login introduces the possibility for an attacker to set up a trap session on the device the victim is likely to login with. The attack may be initiated remotely and an exploit has been disclosed.

Metadata

Created: 2022-11-30T12:30:20Z
Modified: 2022-12-06T18:52:07Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-6657-9743-4mc6/GHSA-6657-9743-4mc6.json
CWE IDs: ["CWE-384"]
Alternative ID: GHSA-6657-9743-4mc6
Finding: F280
Auto approve: 1