The application does not change the session token when using the login or logout functionality. An attacker can set a session token in the victim's browser (e.g. via XSS) and prompt the victim to log in (e.g. via a redirect to the login page). This results in the victim's account being taken over.
History

Thu, 21 Nov 2024 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: SEC-VLab

Published: 2024-05-29T12:31:29.973Z

Updated: 2024-11-21T19:27:49.613Z

Reserved: 2024-02-13T09:28:28.810Z

Link: CVE-2024-25977

cve-icon Vulnrichment

Updated: 2024-08-01T23:52:06.434Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-05-29T13:15:49.683

Modified: 2024-11-21T20:15:39.787

Link: CVE-2024-25977

cve-icon Redhat

No data.