Session Fixation Vulnerability in Pluck-CMS by Pluck
CVE-2021-31745

7.5HIGH

Key Information:

Vendor

Pluck-cms

Status
Pluck
Vendor
CVE Published:
10 December 2021

What is CVE-2021-31745?

A session fixation vulnerability exists in Pluck-CMS's login.php file, allowing attackers to retain unauthorized access to the system. This issue arises because Pluck-CMS fails to invalidate previous sessions after an administrator changes the password, thereby enabling continued access even after remediation steps like password resets are enacted.

References

https://github.com/pluck-cms/pluck/issues/99
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.