Lucene search

Veracode Vulnerability DatabaseVERACODE:38014

HistoryNov 16, 2022 - 4:07 a.m.

Insecure Session Management

2022-11-1604:07:39

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.001 Low

EPSS

Percentile

23.7%

JSON

Concrete CMS is vulnerable to insecure sessions management. The vulnerability exists in the attemptAuthentication function in GenericOauthTypeController.php where it does not issue a new session ID upon successful OAuth authentication.

CPENameOperatorVersion
concrete5/corele8.5.9
concrete5/corele9.1.2
concrete5/concrete5le8.5.9
concrete5/concrete5le9.1.2
concrete5/corele8.5.9
concrete5/corele9.1.2
concrete5/concrete5le8.5.9
concrete5/concrete5le9.1.2

Name	Operator	Version
concrete5/core	le	8.5.9
concrete5/core	le	9.1.2
concrete5/concrete5	le	8.5.9
concrete5/concrete5	le	9.1.2
concrete5/core	le	8.5.9
concrete5/core	le	9.1.2
concrete5/concrete5	le	8.5.9
concrete5/concrete5	le	9.1.2

References

documentation.concretecms.org/developers/introduction/version-history/8510-release-notes

documentation.concretecms.org/developers/introduction/version-history/913-release-notes

github.com/advisories/GHSA-m53v-5x5x-5m2p

github.com/concretecms/concretecms-core/commit/6f9e32b8ebdfcc79d47df57785e7ea9109fe60b7

github.com/concretecms/concretecms-core/commit/94beb230c8c4b138ec3c6265b5037fd5ad08bb22

github.com/concretecms/concretecms/commit/87d0966e2654bfb6e2a0a459a670926a72bf73bb

github.com/concretecms/concretecms/commit/92e0025f229e4b237b7d53507f771c2f9027fba3

github.com/concretecms/concretecms/pull/10991

github.com/concretecms/concretecms/releases/8.5.10

github.com/concretecms/concretecms/releases/9.1.3

www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.001 Low

EPSS

Percentile

23.7%

JSON

Related for VERACODE:38014