Session Fixation Vulnerability in aiohttp-session by aio-libs
CVE-2018-1000519

6.5MEDIUM

Key Information:

Vendor: Aio-libs Project
Status: Aiohttp
Vendor: CVE Published:; 26 June 2018

🔔 Create Aio-libs Project Vulnerability Alert

What is CVE-2018-1000519?

The aiohttp-session library by aio-libs is affected by a Session Fixation vulnerability in its load_session function for RedisStorage. This flaw can lead to session hijacking, where an attacker can exploit the vulnerability through various methods that allow manipulation of session cookies. For instance, an attacker might utilize URL parameters or inject malicious meta or script tags to set or alter session cookies. This represents a significant risk, as it can compromise user sessions without appropriate safeguards.

References

https://github.com/aio-libs/aiohttp-session/issues/272

x_refsource_MISC

https://github.com/aio-libs/aiohttp-session/blob/master/a...

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2018
Vulnerability Reserved
Apr 30, 2018