CVE-2023-24477 HIGH

CVE-2023-24477: Session Fixation in Guardian/CMC before 22.6.2

Vendor Nozomi Networks
Product Guardian
Weakness CWE-384 · Session fixation
Published August 9, 2023
Last update September 20, 2024

CVSS base score

7.0/10
Attack vector Local
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

In certain conditions, depending on timing and the usage of the Chrome web browser, Guardian/CMC versions before 22.6.2 do not always completely invalidate the user session upon logout. Thus an authenticated local attacker may gain acces to the original user's session.

Key dates

02Disclosure timeline

August 9, 2023 CVE published
September 20, 2024 Record updated