CVE-2009-20001

Опубликовано: 07 мар. 2021

Источник: nvd

CVSS3: 8.1

CVSS2: 5.5

EPSS Низкий

Описание

An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login as them.

Ссылки

https://mantisbt.org/bugs/view.php?id=11296
Issue Tracking
Vendor Advisory
https://mantisbt.org/bugs/view.php?id=27976
Exploit
Issue Tracking
Vendor Advisory
https://mantisbt.org/bugs/view.php?id=11296
Issue Tracking
Vendor Advisory
https://mantisbt.org/bugs/view.php?id=27976
Exploit
Issue Tracking
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:mantisbt:mantisbt:*:*:*:*:*:*:*:*

Версия до 2.24.5 (исключая)

EPSS

Процентиль: 35%

0.00142

Низкий

8.1 High

CVSS3

5.5 Medium

CVSS2

Дефекты

CWE-613

Связанные уязвимости

CVE-2009-20001

CVSS3: 8.1

debian

почти 5 лет назад

An issue was discovered in MantisBT before 2.24.5. It associates a uni ...

GHSA-jm72-67rm-763j

CVSS3: 8.1

github

почти 4 года назад

MantisBT Insufficient Session Expiration cookie string not reset after logout

EPSS

Процентиль: 35%

0.00142

Низкий

8.1 High

CVSS3

5.5 Medium

CVSS2

Дефекты

CWE-613