Moderate severity vulnerability that affects aiohttp-session

2018-09-13T15:46:40
ID GHSA-FPWP-69XV-C67F
Type github
Reporter GitHub Advisory Database
Modified 2019-07-03T21:02:03

Description

The pypi package aiohttp-session before 2.4.0 contained a Session Fixation vulnerability in load_session function for RedisStorage that can result in Session Hijacking. This attack appear to be exploitable via Any method that allows setting session cookies (?session=<>, or meta tags or script tags with Set-Cookie).