CVE-2020-5224

Published: Jan 24, 2020

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.1

6.5

MEDIUM

Description

In Django User Sessions (django-user-sessions) before 1.7.1, the views provided allow users to terminate specific sessions. The session key is used to identify sessions, and thus included in the rendered HTML. In itself this is not a problem. However if the website has an XSS vulnerability, the session key could be extracted by the attacker and a session takeover could happen.

Vendor	Product	Versions
Jazzband	django-user-sessions	affected `< 1.7.1`

Weaknesses (CWE)

CWE-287

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

References

https://github.com/Bouke/django-user-sessions/security/advisories/GHSA-5fq8-3q2f-4m5g

x_refsource_CONFIRM

https://github.com/jazzband/django-user-sessions/commit/f0c4077e7d1436ba6d721af85cee89222ca5d2d9

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2020-5224

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References