Miggo Logo
Miggo Vulnerability Database
CVE-2020-23136

CVE-2020-23136: Microweber Insufficient Session Expiry

5.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-23136
GHSA ID
GHSA-g7r3-jwhw-2wfv
EPSS Score
0.16164%
CWE
CWE-613
Published
5/24/2022
Updated
8/23/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
microweber/microwebercomposer= 1.1.18

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly states sessions remain valid after logout, indicating improper session termination. In PHP applications, this typically stems from insufficient session handling in the logout routine. While no code was available for inspection, the logout controller is the logical location for this flaw. The confidence is medium because the conclusion is based on vulnerability patterns rather than direct code analysis. The missing session invalidation would manifest in functions responsible for ending user sessions, making the logout handler the most likely candidate.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Mi*row***r v*.*.** is *****t** *y no s*ssion *xpiry **t*r lo*-out.

Reasoning

T** vuln*r**ility **s*ription *xpli*itly st*t*s s*ssions r*m*in v*li* **t*r lo*out, in*i**tin* improp*r s*ssion t*rmin*tion. In `P*P` *ppli**tions, t*is typi**lly st*ms *rom insu**i*i*nt s*ssion **n*lin* in t** lo*out routin*. W*il* no *o** w*s *v*il