Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

CVE-2019-12203 Session fixation in "change password" form

Medium (?)
Versions Affected:
^3.6, ^4.0
Versions Fixed:
3.6.8, 3.7.4, 4.3.5, 4.4.4
Release Date:

Session fixation attack surface has been identified around the change password form.

A potential account hijacking may happen if an attacker has physical access to victim's computer to perform session fixation. Also possible if the targeted application contains an XSS vulnerability.

Requires victim to click the password reset link sent to their email. If all the above happens, attackers may reset the password before the real user does that.

Base CVSS Score: 6.5

CWP Environmental Score: 6.5

Special thanks to Stephan Boscu & Liam Stein for reporting this issue.