CVE-2020-5224

Summary

In Django User Sessions (django-user-sessions) before 1.7.1, the views provided allow users to terminate specific sessions. The session key is used to identify sessions, and thus included in the rendered HTML. In itself this is not a problem. However if the website has an XSS vulnerability, the session key could be extracted by the attacker and a session takeover could happen.

Affected Software

VendorProductVersion RangeStatus
Jazzbanddjango-user-sessions< 1.7.1affected

Weaknesses

  • CWE-287: CWE-287: Improper Authentication

ADP Enrichment

CVE Program Container

Additional References

References