CVE-2018-18380

A Session Fixation issue was discovered in Bigtree before 4.2.24. admin.php accepts a user-provided PHP session ID instead of regenerating a new one after a user has logged in to the application. The Session Fixation could allow an attacker to hijack an admin session.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.4 MEDIUM
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 48%
VendorProductVersion
bigtreecmsbigtree_cms
𝑥
< 4.2.24
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://gist.github.com/zionspike/680eb504db7c86296fad0eff30c6317f
https://github.com/bigtreecms/BigTree-CMS/commit/c69402c4764ed9a76301c57277aefe70141b6418
https://github.com/bigtreecms/BigTree-CMS/tree/4.2.24
https://gist.github.com/zionspike/680eb504db7c86296fad0eff30c6317f
https://github.com/bigtreecms/BigTree-CMS/commit/c69402c4764ed9a76301c57277aefe70141b6418
https://github.com/bigtreecms/BigTree-CMS/tree/4.2.24