Session key exposure through session list in Django User Sessions

2020-01-2419:56:59

Google

osv.dev

0.001 Low

EPSS

Percentile

42.8%

JSON

Impact

The views provided by django-user-sessions allow users to terminate specific sessions. The session key is used to identify sessions, and thus included in the rendered HTML. In itself this is not a problem. However if the website has an XSS vulnerability, the session key could be extracted by the attacker and a session takeover could happen.

Patches

Patch is under way.

Workarounds

Remove the session_key from the template.

References

None.

For more information

If you have any questions or comments about this advisory:

Open an issue in Bouke/django-user-sessions
Email us at [email protected]

CPENameOperatorVersion
django-user-sessionseq1.5.3
django-user-sessionseq1.3.0
django-user-sessionseq1.2.0
django-user-sessionseq1.0.0-beta1
django-user-sessionseq1.5.0
django-user-sessionseq0.1.0-beta
django-user-sessionseq1.1.0
django-user-sessionseq1.5.2
django-user-sessionseq1.4.0
django-user-sessionseq1.3.1

Name	Operator	Version
django-user-sessions	eq	1.5.3
django-user-sessions	eq	1.3.0
django-user-sessions	eq	1.2.0
django-user-sessions	eq	1.0.0-beta1
django-user-sessions	eq	1.5.0
django-user-sessions	eq	0.1.0-beta
django-user-sessions	eq	1.1.0
django-user-sessions	eq	1.5.2
django-user-sessions	eq	1.4.0
django-user-sessions	eq	1.3.1