Session fixation in change password form · CVE-2019-12203 · GitHub Advisory Database · GitHub

Session fixation in change password form

Moderate severity GitHub Reviewed Published Nov 12, 2019 to the GitHub Advisory Database • Updated Feb 7, 2024

Package

silverstripe/framework (Composer)

Affected versions

>= 3.7.0, < 3.7.4

>= 4.4.0, < 4.4.4

>= 3.6.0, < 3.6.8

>= 4.0.0, < 4.3.5

Patched versions

3.7.4

4.4.4

3.6.8

4.3.5

Description

SilverStripe through 4.3.3 allows session fixation in the "change password" form.

References

Reviewed Nov 12, 2019

Published to the GitHub Advisory Database Nov 12, 2019

Last updated Feb 7, 2024

Severity

Moderate

6.3

/ 10

CVSS base metrics

Attack vector

Physical

Attack complexity

High

Privileges required

None

User interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H