CVE-2024-24552: Bludit is Vulnerable to Session Fixation
First published: Mon Jun 24 2024(Updated: )
A session fixation vulnerability in Bludit allows an attacker to bypass the server's authentication if they can trick an administrator or any other user into authorizing a session ID of their choosing.
Credit: vulnerability@ncsc.ch
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Bludit |
Remedy
See OWASP Session Management Cheatsheet: The session ID must be renewed or regenerated by the web application after any privilege level change within the associated user session. The most common scenario where the session ID regeneration is mandatory is during the authentication process, as the privilege level of the user changes from the unauthenticated (or anonymous) state to the authenticated state though in some cases still not yet the authorized state. Common scenarios to consider include; password changes, permission changes, or switching from a regular user role to an administrator role within the web application. For all sensitive pages of the web application, any previous session IDs must be ignored, only the current session ID must be assigned to every new request received for the protected resource, and the old or previous session ID must be destroyed.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2024-24552?
CVE-2024-24552 is considered a high severity vulnerability due to its potential to allow session fixation attacks.
How do I fix CVE-2024-24552?
To fix CVE-2024-24552, you should update to the latest version of Bludit that addresses this session fixation vulnerability.
Who is affected by CVE-2024-24552?
CVE-2024-24552 affects all versions of Bludit where session IDs can be manipulated by an attacker.
What kind of attack does CVE-2024-24552 enable?
CVE-2024-24552 enables session fixation attacks, allowing unauthorized access to a user's session.
Is there a workaround for CVE-2024-24552?
As a temporary workaround for CVE-2024-24552, administrators should avoid clicking on untrusted links and ensure session cookie attributes are correctly configured.
- agent/remedy
- agent/weakness
- agent/title
- agent/references
- agent/type
- agent/description
- agent/first-publish-date
- agent/author
- collector/nvd-api
- source/NVD
- agent/severity
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/bludit
- canonical/bludit