aiohttp-session Session Fixation vulnerability · CVE-2018-1000519 · GitHub Advisory Database · GitHub

aiohttp-session Session Fixation vulnerability

Moderate severity GitHub Reviewed Published Sep 13, 2018 to the GitHub Advisory Database • Updated Sep 3, 2024

Package

aiohttp-session (pip)

Affected versions

< 2.4.0

Patched versions

2.4.0

Description

The pypi package aiohttp-session before 2.4.0 contained a Session Fixation vulnerability in load_session function for RedisStorage that can result in Session Hijacking. This attack appear to be exploitable via Any method that allows setting session cookies (?session=<>, or meta tags or script tags with Set-Cookie).

References

Published to the GitHub Advisory Database Sep 13, 2018

Reviewed Jun 16, 2020

Last updated Sep 3, 2024