CVE-2020-5224 MEDIUM

CVE-2020-5224: Session key exposure through session list in Django User Sessions

Vendor Jazzband
Product django-user-sessions
Weakness CWE-287 · Improper authentication
Published January 24, 2020
Last update August 4, 2024

CVSS base score

6.5/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N

What the vulnerability does

01Description

In Django User Sessions (django-user-sessions) before 1.7.1, the views provided allow users to terminate specific sessions. The session key is used to identify sessions, and thus included in the rendered HTML. In itself this is not a problem. However if the website has an XSS vulnerability, the session key could be extracted by the attacker and a session takeover could happen.

Key dates

02Disclosure timeline

January 24, 2020 CVE published
August 4, 2024 Record updated