Session Fixation Vulnerability in Pluck-CMS by Pluck
CVE-2021-31745

7.5HIGH

Key Information:

Vendor: Pluck-cms
Status: Pluck
Vendor: CVE Published:; 10 December 2021

What is CVE-2021-31745?

A session fixation vulnerability exists in Pluck-CMS's login.php file, allowing attackers to retain unauthorized access to the system. This issue arises because Pluck-CMS fails to invalidate previous sessions after an administrator changes the password, thereby enabling continued access even after remediation steps like password resets are enacted.

References

https://github.com/pluck-cms/pluck/issues/99

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 10, 2021
Vulnerability Reserved
Apr 23, 2021

JSON

Pluck-cms

What is CVE-2021-31745?

References

CVSS V3.1

Timeline