CVE-2019-12203 Session fixation in "change password" form
- Severity:
- Medium (?)
- Identifier:
- CVE-2019-12203
- Versions Affected:
- ^3.6, ^4.0
- Versions Fixed:
- 3.6.8, 3.7.4, 4.3.5, 4.4.4
- Release Date:
- 2019-09-24
Session fixation attack surface has been identified around the change password form.
A potential account hijacking may happen if an attacker has physical access to victim's computer to perform session fixation. Also possible if the targeted application contains an XSS vulnerability.
Requires victim to click the password reset link sent to their email. If all the above happens, attackers may reset the password before the real user does that.
Base CVSS Score: 6.5
CWP Environmental Score: 6.5
Special thanks to Stephan Boscu & Liam Stein for reporting this issue.
