CVE-2018-16495
Last modified
CVE-2018-16495 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. In VOS user session identifier (authentication token) is issued to the browser prior to authentication but is not changed after the user successfully logs into the application. Failing to issue a new session ID following a successful login introduces the possibility for an attacker to set up a trap session on the device the victim is likely to login with.. EPSS estimates a 0.91% chance of exploitation in the next 30 days.
Description
In VOS user session identifier (authentication token) is issued to the browser prior to authentication but is not changed after the user successfully logs into the application. Failing to issue a new session ID following a successful login introduces the possibility for an attacker to set up a trap session on the device the victim is likely to login with.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Versa-Networks | Versa Operating System | < 16.1r2s11 |
| Versa-Networks | Versa Operating System | >= 20.2.0, < 20.2.2 |
| Versa-Networks | Versa Operating System | >= 21.1.0, < 21.1.1 |
References
- https://hackerone.com/reports/1168192Third Party Advisory
- https://hackerone.com/reports/1168192Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2018-16495?
How severe is CVE-2018-16495?
How do I fix CVE-2018-16495?
Are you affected by CVE-2018-16495?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST