CVE-2024-10920
CVSS 3.1 Score 3.1 of 10 (low)
Details
Published Nov 6, 2024
CWE ID 321
CWE ID 320
Summary
CVE-2024-10318 is a session fixation vulnerability affecting the NGINX OpenID Connect reference implementation. The issue arises due to the failure to check a nonce during login, enabling attackers to manipulate and fix victims' sessions to attacker-controlled accounts. While an attacker cannot directly log in as the victim, they can force the session to be associated with their own account, potentially misusing the victim's session for unauthorized actions.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Share