CVE-2020-36913

Summary

All-Dynamics Software enlogic:show 2.0.2 contains a session fixation vulnerability that allows attackers to set a predefined PHP session identifier during the login process. Attackers can forge HTTP GET requests to welcome.php with a manipulated session token to bypass authentication and potentially execute cross-site request forgery attacks.

Affected Software

VendorProductVersion RangeStatus
All-Dynamics Softwareenlogic:show Digital Signage System2.0.2 (Build 2098) ILP32W 0/1/3/1597919619affected

Weaknesses

  • CWE-384: Session Fixation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

Additional References

References