Skip to content

Instantly share code, notes, and snippets.

What would you like to do?

Session Fixation in BigTree CMS 4.2.23 and earlier (CVE-2018-18380)


A Session Fixation issue was discovered in Bigtree 4.2.23 and earlier. The PHP session id has not been generated after loggin. File core/inc/bigtree/admin.php accepts a user-provided PHP session ID instead of regenerating a new one after a user has logged in to the application. The Session Fixation could allow an attacker to hijack an admin session.

Additional Information

VulnerabilityType - Other

Session Fixation

Vendor of Product

Bigtree CMS

Affected Product Code Base

Bigtree CMS - 4.2.23 and earlier

Attack Type


CVE Impact Other

An attacker may generate new session with the application and force user to use this session by cross-site scripting attack or other vector. Moreover, the attacker may try to steal a user session ID. When the attacker can obtain same session ID with the target user the attacker may gain access to the application after the user has logged in to the application. This could lead to session hijacking attack.


Fixed version has been released. The fixed version is 4.2.24


Best regards, Juttikhun Khamchaiyaphum

Has vendor confirmed or acknowledged the vulnerability?



  • Juttikhun Khamchaiyaphum
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.