{"CVE_data_meta":{"ASSIGNER":"kurt@seifried.org","DATE_ASSIGNED":"2018-06-23T11:22:33.022004","DATE_REQUESTED":"2018-04-30T09:23:21","ID":"CVE-2018-1000519","REQUESTER":"panos122008@gmail.com"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"aiohttp-session","version":{"version_data":[{"version_value":"v2.3.0 and earlier"}]}}]},"vendor_name":"aio-libs"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"aio-libs aiohttp-session version v2.3.0 and earlier contains a Session Fixation vulnerability in load_session function for RedisStorage (see: https://github.com/aio-libs/aiohttp-session/blob/master/aiohttp_session/redis_storage.py#L42) that can result in Session Hijacking. This attack appear to be exploitable via Any method that allows setting session cookies (?session=<>, or meta tags or script tags with Set-Cookie)."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Session Fixation"}]}]},"references":{"reference_data":[{"url":"https://github.com/aio-libs/aiohttp-session/issues/272"},{"url":"https://github.com/aio-libs/aiohttp-session/blob/master/aiohttp_session/redis_storage.py#L60"}]}}
