A Session Fixation issue was discovered in Bigtree 4.2.23 and earlier. The PHP session id has not been generated after loggin. File core/inc/bigtree/admin.php accepts a user-provided PHP session ID instead of regenerating a new one after a user has logged in to the application. The Session Fixation could allow an attacker to hijack an admin session.
- Vendor website: https://www.bigtreecms.org/about/