CVE-2022-4231

Description

Tribal Systems Zenario CMS 9.3.57595 is vulnerable to session fixation. In Zenario CMS, the user session identifier (authentication token) is issued to the browser prior to authentication but is not changed after user logout and login again into the application when "Remember me" option active. Failing to issue a new session ID following a successful login introduces the possibility for an attacker to set up a trap session on the device the victim is likely to login with. The attack may be initiated remotely and an exploit has been disclosed.

How to fix CVE-2022-4231

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

• —no fix listed

Is CVE-2022-4231 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, <= 9.3.57595

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-4231
• PATCHgithub.com/TribalSystems/Zenario
• WEBgithub.com/lithonn/bug-report/tree/main/vendors/tribalsystems/zenario/session-fixation
• WEBvuldb.com/?id.214589