Vulnerability Details CVE-2020-5224
In Django User Sessions (django-user-sessions) before 1.7.1, the views provided allow users to terminate specific sessions. The session key is used to identify sessions, and thus included in the rendered HTML. In itself this is not a problem. However if the website has an XSS vulnerability, the session key could be extracted by the attacker and a session takeover could happen.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 33.3%
CVSS Severity
CVSS v3 Score 6.5
CVSS v2 Score 4.0
References
- https://github.com/Bouke/django-user-sessions/security/advisories/GHSA-5fq8-3q2f-4m5g
- https://github.com/jazzband/django-user-sessions/commit/f0c4077e7d1436ba6d721af85cee89222ca5d2d9
- https://github.com/Bouke/django-user-sessions/security/advisories/GHSA-5fq8-3q2f-4m5g
- https://github.com/jazzband/django-user-sessions/commit/f0c4077e7d1436ba6d721af85cee89222ca5d2d9
Products affected by CVE-2020-5224
-
cpe:2.3:a:django-user-sessions_project:django-user-sessions:0.1.0
-
cpe:2.3:a:django-user-sessions_project:django-user-sessions:0.1.1
-
cpe:2.3:a:django-user-sessions_project:django-user-sessions:0.1.2
-
cpe:2.3:a:django-user-sessions_project:django-user-sessions:0.1.3
-
cpe:2.3:a:django-user-sessions_project:django-user-sessions:0.1.4
-
cpe:2.3:a:django-user-sessions_project:django-user-sessions:1.0.0
-
cpe:2.3:a:django-user-sessions_project:django-user-sessions:1.1.0
-
cpe:2.3:a:django-user-sessions_project:django-user-sessions:1.1.1
-
cpe:2.3:a:django-user-sessions_project:django-user-sessions:1.2.0
-
cpe:2.3:a:django-user-sessions_project:django-user-sessions:1.3.0
-
cpe:2.3:a:django-user-sessions_project:django-user-sessions:1.3.1
-
cpe:2.3:a:django-user-sessions_project:django-user-sessions:1.4.0
-
cpe:2.3:a:django-user-sessions_project:django-user-sessions:1.5.0
-
cpe:2.3:a:django-user-sessions_project:django-user-sessions:1.5.1
-
cpe:2.3:a:django-user-sessions_project:django-user-sessions:1.5.2
-
cpe:2.3:a:django-user-sessions_project:django-user-sessions:1.5.3
-
cpe:2.3:a:django-user-sessions_project:django-user-sessions:1.6.0
-
cpe:2.3:a:django-user-sessions_project:django-user-sessions:1.7.0