CVE-2019-7849 — Session Fixation in Magento

CWE-384 — Session Fixation4 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.0%

top 85.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Magento Magento Community-edition

Timeline

PublishedAug 2

Latest updateMay 24

Description

A defense-in-depth check was added to mitigate inadequate session validation handling by 3rd party checkout modules. This impacts Magento 1.x prior to 1.9.4.2, Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9 and Magento 2.3 prior to 2.3.2.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDmagento/magento1.0.0 — 1.9.4.2+4

▶Packagistmagento/community-edition2.1.0 — 2.1.18+2

🔴Vulnerability Details

GHSA

Magento 2 Community Edition Session Fixation Check↗2022-05-24

▶

OSV

Magento 2 Community Edition Session Fixation Check↗2022-05-24

▶

CVEList

CVE-2019-7849: A defense-in-depth check was added to mitigate inadequate session validation handling by 3rd party checkout modules↗2019-08-02

▶