CVE-2020-5224: Session key exposure through session list in Django User Sessions
(updated )
The views provided by django-user-sessions allow users to terminate specific sessions. The session key is used to identify sessions, and thus included in the rendered HTML. In itself this is not a problem. However if the website has an XSS vulnerability, the session key could be extracted by the attacker and a session takeover could happen.
References
- github.com/Bouke/django-user-sessions
- github.com/Bouke/django-user-sessions/security/advisories/GHSA-5fq8-3q2f-4m5g
- github.com/advisories/GHSA-5fq8-3q2f-4m5g
- github.com/jazzband/django-user-sessions/commit/f0c4077e7d1436ba6d721af85cee89222ca5d2d9
- github.com/pypa/advisory-database/tree/main/vulns/django-user-sessions/PYSEC-2020-230.yaml
- nvd.nist.gov/vuln/detail/CVE-2020-5224
Detect and mitigate CVE-2020-5224 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →