Code injection

2020-02-0616:15:00

PRIOn knowledge base

www.prio-n.com

6.3 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

68.6%

JSON

The session.lua library in CGILua 5.1.x uses the same ID for each session, which allows remote attackers to hijack arbitrary sessions. NOTE: this vulnerability was SPLIT from CVE-2014-2875.

CPENameOperatorVersion
cgiluaeq5.2 alpha1
cgiluaeq5.2 alpha2
cgiluage5.0.0
cgiluale5.0.1
cgiluage5.1.0
cgiluale5.1.4

Name	Operator	Version
cgilua	eq	5.2 alpha1
cgilua	eq	5.2 alpha2
cgilua	ge	5.0.0
cgilua	le	5.0.1
cgilua	ge	5.1.0
cgilua	le	5.1.4

References

seclists.org/fulldisclosure/2014/Apr/318

www.securityfocus.com/archive/1/531981/100/0/threaded

www.syhunt.com/en/index.php?n=Advisories.Cgilua-weaksessionid