Session Fixation vulnerability - BloomReach Experience - Open Source CMS

Session Fixation vulnerability 

Issue date: 31-10-2018
Affects versions: 12.4, 12.3, 11.2, 10.2

Issue ID: SECURITY-77

Affected Product Version(s)
This vulnerability applies to CMS 12.4.0, 12.3.1, 11.2.8 and 10.2.12 and earlier versions.

Severity 
normal

Description

The CMS web application has a session fixation vulnerability that allows an attacker to take over a user session to gain unauthorized access. The attacker has to provide a legitimate Web application session ID and try to make the victim's browser use it. See https://www.owasp.org/index.php/Session_fixation

Instructions

For all current supported CMS versions this vulnerability has been fixed, through code changes only, and only requires updating to the latest maintenance releases: CMS 10.2.13, CMS 11.2.9, CMS 12.3.2 or CMS 12.4.1.