Описание
In Django User Sessions (django-user-sessions) before 1.7.1, the views provided allow users to terminate specific sessions. The session key is used to identify sessions, and thus included in the rendered HTML. In itself this is not a problem. However if the website has an XSS vulnerability, the session key could be extracted by the attacker and a session takeover could happen.
Ссылки
- Third Party Advisory
- Patch
- Third Party Advisory
- Patch
Уязвимые конфигурации
Конфигурация 1Версия до 1.7.1 (исключая)
cpe:2.3:a:django-user-sessions_project:django-user-sessions:*:*:*:*:*:*:*:*
EPSS
Процентиль: 33%
0.00129
Низкий
6.5 Medium
CVSS3
8.8 High
CVSS3
4 Medium
CVSS2
Дефекты
CWE-287
CWE-326
Связанные уязвимости
CVSS3: 6.5
github
около 6 лет назад
Session key exposure through session list in Django User Sessions
EPSS
Процентиль: 33%
0.00129
Низкий
6.5 Medium
CVSS3
8.8 High
CVSS3
4 Medium
CVSS2
Дефекты
CWE-287
CWE-326