Session Fixation in GitHub repository namelessmc/nameless prior to v2.0.2.
Threat-Mapped Scoring
Score: 0.0
Priority: Unclassified
EPSS
Score: 0.00077
Percentile:
0.23802
CVSS Scoring
CVSS v3.1 Score: 7.0
Severity: HIGH
Mapped CWE(s)
-
CWE-384
: Session Fixation
All CAPEC(s)
-
CAPEC-196: Session Credential Falsification through Forging
-
CAPEC-21: Exploitation of Trusted Identifiers
-
CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies
-
CAPEC-39: Manipulating Opaque Client-based Data Tokens
-
CAPEC-59: Session Credential Falsification through Prediction
-
CAPEC-60: Reusing Session IDs (aka Session Replay)
-
CAPEC-61: Session Fixation
CAPEC(s) with Mapped TTPs
-
CAPEC-196: Session Credential Falsification through Forging
Mapped TTPs:
-
CAPEC-21: Exploitation of Trusted Identifiers
Mapped TTPs:
-
T1134
: Access Token Manipulation
-
T1528
: Steal Application Access Token
-
T1539
: Steal Web Session Cookie
-
CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies
Mapped TTPs:
-
T1539
: Steal Web Session Cookie
-
CAPEC-60: Reusing Session IDs (aka Session Replay)
Mapped TTPs:
Mapped ATT&CK TTPs
-
T1134.002
: Create Process with Token
Kill Chain: defense-evasion
-
T1134.003
: Make and Impersonate Token
Kill Chain: defense-evasion
-
T1606
: Forge Web Credentials
Kill Chain: credential-access
-
T1134
: Access Token Manipulation
Kill Chain: defense-evasion
-
T1528
: Steal Application Access Token
Kill Chain: credential-access
-
T1539
: Steal Web Session Cookie
Kill Chain: credential-access
-
T1539
: Steal Web Session Cookie
Kill Chain: credential-access
-
T1134.001
: Token Impersonation/Theft
Kill Chain: defense-evasion
-
T1550.004
: Web Session Cookie
Kill Chain: defense-evasion
Malware
APTs Threat Group Associations
Campaigns
- SolarWinds Compromise
- Leviathan Australian Intrusions
- HomeLand Justice
- C0017
Affected Products
- cpe:2.3:a:namelessmc:nameless:*:*:*:*:*:*:*:*
← Back to Home