Session Fixation in BigTree CMS 4.2.23 and earlier (CVE-2018-18380)
A Session Fixation issue was discovered in Bigtree 4.2.23 and earlier. The PHP session id has not been generated after loggin. File core/inc/bigtree/admin.php accepts a user-provided PHP session ID instead of regenerating a new one after a user has logged in to the application. The Session Fixation could allow an attacker to hijack an admin session.
- Vendor website: https://www.bigtreecms.org/about/
- Source code: https://github.com/bigtreecms/BigTree-CMS
VulnerabilityType - Other
Vendor of Product
Affected Product Code Base
Bigtree CMS - 4.2.23 and earlier
CVE Impact Other
An attacker may generate new session with the application and force user to use this session by cross-site scripting attack or other vector. Moreover, the attacker may try to steal a user session ID. When the attacker can obtain same session ID with the target user the attacker may gain access to the application after the user has logged in to the application. This could lead to session hijacking attack.
Fixed version has been released. The fixed version is 4.2.24
Best regards, Juttikhun Khamchaiyaphum
Has vendor confirmed or acknowledged the vulnerability?
- Juttikhun Khamchaiyaphum