Session Fixation vulnerability
Issue date: 31-10-2018Affects versions: 12.4, 12.3, 11.2, 10.2
Issue ID: SECURITY-77
Affected Product Version(s)
This vulnerability applies to CMS 12.4.0, 12.3.1, 11.2.8 and 10.2.12 and earlier versions.
Severity
normal
Description
The CMS web application has a session fixation vulnerability that allows an attacker to take over a user session to gain unauthorized access. The attacker has to provide a legitimate Web application session ID and try to make the victim's browser use it. See https://www.owasp.org/index.php/Session_fixation
Instructions
For all current supported CMS versions this vulnerability has been fixed, through code changes only, and only requires updating to the latest maintenance releases: CMS 10.2.13, CMS 11.2.9, CMS 12.3.2 or CMS 12.4.1.