Session Fixation in ipsilon
Critical severity
GitHub Reviewed
Published
May 14, 2022
to the GitHub Advisory Database
•
Updated Sep 18, 2023
Package
Affected versions
>= 2.0.0, < 2.0.2
>= 1.2.0, < 1.2.1
>= 1.1.0, < 1.1.2
>= 1.0.0, < 1.0.3
Patched versions
2.0.2
1.2.1
1.1.2
1.0.3
Description
Published by the National Vulnerability Database
Jul 12, 2017
Published to the GitHub Advisory Database
May 14, 2022
Reviewed
Feb 14, 2023
Last updated
Sep 18, 2023
Credits
-
tdunlap607 Analyst
A vulnerability in ipsilon 2.0 before 2.0.2, 1.2 before 1.2.1, 1.1 before 1.1.2, and 1.0 before 1.0.3 was found that allows attacker to log out active sessions of other users. This issue is related to how it tracks sessions, and allows an unauthenticated attacker to view and terminate active sessions from other users. It is also called a "SAML2 multi-session vulnerability."
References