Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

CVE-2022-24444 - Hybridsessions does not expire session id on logout

Severity:
Medium (?)
Identifier:
CVE-2022-24444
Versions Affected:
silverstripe/hybridsessions: <=2.4.0, 2.5.0
Versions Fixed:
silverstripe/hybridsessions: 2.4.1, 2.5.1
Release Date:
2022-06-28

When using the hybridsessions module is used without the session-manager module installed and sessions IDs are saved to disk, unexpired SessionIDs of logged out users can still be used to make authenticated requests.

Base CVSS: 4.8

Reported by: Kartik Patel