CVE-2009-20001
Severity Score
8.1
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login as them.
Se detectó un problema en MantisBT versiones anteriores a 2.24.5. Asocia una cadena de cookies única con cada usuario. Esta cadena no se restablece al cerrar la sesión (es decir, la sesión del usuario aún se considera válida y activa), lo que permite que un atacante que de alguna manera obtuvo acceso a la cookie de un usuario inicie sesión como él
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2021-03-07 CVE Reserved
- 2021-03-07 CVE Published
- 2024-07-10 EPSS Updated
- 2024-08-07 CVE Updated
- 2024-08-07 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-613: Insufficient Session Expiration
CAPEC
References (2)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://mantisbt.org/bugs/view.php?id=27976 | 2024-08-07 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://mantisbt.org/bugs/view.php?id=11296 | 2021-03-11 |