CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-25977: Session Fixation

Description

The application does not change the session token when using the login or logout functionality. An attacker can set a session token in the victim's browser (e.g. via XSS) and prompt the victim to log in (e.g. via a redirect to the login page). This results in the victim's account being taken over.

Classification

CVE ID: CVE-2024-25977

Affected Products

Vendor: Interaction Design Team at the University of Applied Sciences and Arts in Hildesheim/Germany

Product: HAWKI

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 18.39% (scored less or equal to compared to others)

EPSS Date: 2025-03-14 (when was this score calculated)

References

https://r.sec-consult.com/hawki
https://github.com/HAWK-Digital-Environments/HAWKI/commit/146967f3148e92d1640ffebc21d8914e2d7fb3f1
http://seclists.org/fulldisclosure/2024/May/34

Timeline

2025-02-14 00:31:41 UTC
CVE

Session Fixation