CVE-2021-33394

2021-05-2719:15:08

Google

osv.dev

6.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

21.6%

JSON

Cubecart 6.4.2 allows Session Fixation. The application does not generate a new session cookie after the user is logged in. A malicious user is able to create a new session cookie value and inject it to a victim. After the victim logs in, the injected cookie becomes valid, giving the attacker access to the user’s account through the active session.

CPENameOperatorVersion
v6eq6.1.10
v6eq6.4.2
v6eq6.0.12
v6eq6.2.4
v6eq6.1.11pr
v6eq6.0.6
v6eq6.4.0-b1
v6eq6.4.0
v6eq6.1.15
v6eq6.0.0b2

Name	Operator	Version
v6	eq	6.1.10
v6	eq	6.4.2
v6	eq	6.0.12
v6	eq	6.2.4
v6	eq	6.1.11pr
v6	eq	6.0.6
v6	eq	6.4.0-b1
v6	eq	6.4.0
v6	eq	6.1.15
v6	eq	6.0.0b2

Rows per page:

1-10 of 541

References

github.com/cubecart/v6/commit/aac7b3a13a43e302d91f94a120417b2fda737d0f

github.com/xoffense/POC/blob/main/Session%20Fixation%20in%20Cubecart%206.4.2.md