Description
Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. It instead tries to overwrite the cookie in the browser, but it remains valid on the server side. This means the cookie can be reused to maintain access to the account, even if the account credentials and permissions are changed.
References (2)
Core 2
Core References
Various Sources x_refsource_misc
https://knowledgebase.progress.com/#sort=relevancy&f:%40objecttypelabel=%5BProduct%20Alert%5D
Release Notes, Vendor Advisory x_refsource_confirm
https://knowledgebase.progress.com/articles/Article/Security-Advisory-For-Resolving-Security-Vulnerabilities-May-2019
Scores
CVSS v3
6.5
EPSS
0.0002
EPSS Percentile
4.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Details
CWE
CWE-613
Status
published
Products (1)
progress/sitefinity
7.0 - 7.0.5143
Published
Jun 06, 2019
Tracked Since
Feb 18, 2026