CVE-2019-10045

Published: May 31, 2019Modified: Nov 21, 2024

6.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Exploitability: 3.9 / Impact: 2.5

Source: NVD

Description

The "action" get_sess_id in the web application of Pydio through 8.2.2 discloses the session cookie value in the response body, enabling scripts to get access to its value. This identifier can be reused by an attacker to impersonate a user and perform actions on behalf of him/her (if the session is still active).

Affected (1)

Products: Pydio: Pydio

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Pydio Pydio	Up to 8.2.2

Related CWEs

Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

References (2)

https://www.secureauth.com/labs/advisories

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.secureauth.com/labs/advisories

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.