CVE-2020-5224

MEDIUM

django-user-sessions < 1.7.1 - Session Takeover via Exposed Session Key

Title source: llm

Description

In Django User Sessions (django-user-sessions) before 1.7.1, the views provided allow users to terminate specific sessions. The session key is used to identify sessions, and thus included in the rendered HTML. In itself this is not a problem. However if the website has an XSS vulnerability, the session key could be extracted by the attacker and a session takeover could happen.

References (2)

Core 2

Core References

Third Party Advisory x_refsource_confirm

https://github.com/Bouke/django-user-sessions/security/advisories/GHSA-5fq8-3q2f-4m5g

Patch x_refsource_misc

https://github.com/jazzband/django-user-sessions/commit/f0c4077e7d1436ba6d721af85cee89222ca5d2d9

View Patch ZIP pw:eip

Scores

CVSS v3 6.5

EPSS 0.0044

EPSS Percentile 34.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N

Details

CWE

CWE-287 CWE-326

Status published

Products (2)

django-user-sessions_project/django-user-sessions < 1.7.1

pypi/django-user-sessions 0 - 1.7.1PyPI

Published Jan 24, 2020

Tracked Since Feb 18, 2026