CVE-2024-25977

CVE-2024-25977: Session Fixation

Vendor Interaction Design Team At The University Of Applied Sciences And Arts In Hildesheim/Germany
Product HAWKI
Weakness CWE-384 · Session fixation
Published May 29, 2024
Last update February 13, 2025

CVSS base score

What the vulnerability does

01Description

The application does not change the session token when using the login or logout functionality. An attacker can set a session token in the victim's browser (e.g. via XSS) and prompt the victim to log in (e.g. via a redirect to the login page). This results in the victim's account being taken over.

Key dates

02Disclosure timeline

May 29, 2024 CVE published
February 13, 2025 Record updated