Skip to content

Session key exposure through session list in Django User Sessions

Low severity GitHub Reviewed Published Jan 24, 2020 in jazzband/django-user-sessions • Updated Jan 9, 2023

Package

pip django-user-sessions (pip)

Affected versions

< 1.7.1

Patched versions

1.7.1

Description

Impact

The views provided by django-user-sessions allow users to terminate specific sessions. The session key is used to identify sessions, and thus included in the rendered HTML. In itself this is not a problem. However if the website has an XSS vulnerability, the session key could be extracted by the attacker and a session takeover could happen.

Patches

Patch is under way.

Workarounds

Remove the session_key from the template.

References

None.

For more information

If you have any questions or comments about this advisory:

References

@Bouke Bouke published to jazzband/django-user-sessions Jan 24, 2020
Reviewed Jan 24, 2020
Published to the GitHub Advisory Database Jan 24, 2020
Last updated Jan 9, 2023

Severity

Low

Weaknesses

CVE ID

CVE-2020-5224

GHSA ID

GHSA-5fq8-3q2f-4m5g

Source code

No known source code
Checking history
See something to contribute? Suggest improvements for this vulnerability.