How severe is CVE-2020-5290?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.5 out of 10.

What type of vulnerability is CVE-2020-5290?

This is classified as CWE-384, which is a common weakness in software security.

CVE-2020-5290

MEDIUM Year: 2020

CVSS v3 Score

6.5

Medium

CVSS v2 Score

4.3

Medium

Weakness Type

CWE-384

View all →

Vulnerability Description

In RedpwnCTF before version 2.3, there is a session fixation vulnerability in exploitable through the `#token=$ssid` hash when making a request to the `/verify` endpoint. An attacker team could potentially steal flags by, for example, exploiting a stored XSS payload in a CTF challenge so that victim teams who solve the challenge are unknowingly (and against their will) signed into the attacker team's account. Then, the attacker can gain points / value off the backs of the victims. This is patched in version 2.3.

CVE-2010-3671

MEDIUM

CVSS:6.5(Medium)

TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 is open to a session fixation attack which allows remote attackers to hijack a victim's session.

CWE-3842010

CVE-2017-1368

MEDIUM

CVSS:6.5(Medium)

IBM Security Identity Governance Virtual Appliance 5.2 through 5.2.3.2 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by s...

CWE-3842017

CVE-2018-0229

MEDIUM

CVSS:6.5(Medium)

A vulnerability in the implementation of Security Assertion Markup Language (SAML) Single Sign-On (SSO) authentication for Cisco AnyConnect Secure Mobility Client for Desktop Platforms, Cisco Adaptive...

CWE-3842018

CVE-2018-1000519

MEDIUM

CVSS:6.5(Medium)

aio-libs aiohttp-session contains a Session Fixation vulnerability in load_session function for RedisStorage (see: https://github.com/aio-libs/aiohttp-session/blob/master/aiohttp_session/redis_storage...

CWE-3842018

CVE-2018-1148

MEDIUM

CVSS:6.5(Medium)

In Nessus before 7.1.0, Session Fixation exists due to insufficient session management within the application. An authenticated attacker could maintain system access due to session fixation after a us...

CWE-3842018

CVE-2019-10045

MEDIUM

CVSS:6.5(Medium)

The "action" get_sess_id in the web application of Pydio through 8.2.2 discloses the session cookie value in the response body, enabling scripts to get access to its value. This identifier can be reus...

CWE-3842019

CVE-2020-5290

Vulnerability Description

Related Vulnerabilities

CVE-2010-3671

CVE-2017-1368

CVE-2018-0229

CVE-2018-1000519

CVE-2018-1148

CVE-2019-10045