Impact
The views provided by django-user-sessions allow users to terminate specific sessions. The session key is used to identify sessions, and thus included in the rendered HTML. In itself this is not a problem. However if the website has an XSS vulnerability, the session key could be extracted by the attacker and a session takeover could happen.
Patches
Patch is under way.
Workarounds
Remove the session_key from the template.
References
None.
For more information
If you have any questions or comments about this advisory:
Impact
The views provided by django-user-sessions allow users to terminate specific sessions. The session key is used to identify sessions, and thus included in the rendered HTML. In itself this is not a problem. However if the website has an XSS vulnerability, the session key could be extracted by the attacker and a session takeover could happen.
Patches
Patch is under way.
Workarounds
Remove the session_key from the template.
References
None.
For more information
If you have any questions or comments about this advisory: