6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-5224

GHSA ID

GHSA-5fq8-3q2f-4m5g

EPSS Score

0.33419%

CWE

CWE-287

Published

1/24/2020

Updated

9/16/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-5224

CVE-2020-5224: Session key exposure through session list in Django User Sessions

Impact

The views provided by django-user-sessions allow users to terminate specific sessions. The session key is used to identify sessions, and thus included in the rendered HTML. In itself this is not a problem. However if the website has an XSS vulnerability, the session key could be extracted by the attacker and a session takeover could happen.

Patches

Patch is under way.

Workarounds

Remove the session_key from the template.

References

None.

For more information

If you have any questions or comments about this advisory:

Open an issue in Bouke/django-user-sessions
Email us at bouke@haarsma.eu

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-5224

GHSA ID

GHSA-5fq8-3q2f-4m5g

EPSS Score

0.33419%

CWE

CWE-287

Published

1/24/2020

Updated

9/16/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
django-user-sessions	pip	< 1.7.1	1.7.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from session keys being rendered in HTML templates. The key evidence is in the commit diff showing removal of session_key references from session_list.html. The view responsible for rendering this template (likely a ListView subclass) and the template itself both contributed to the exposure. While no specific view function is shown in diffs, Django's pattern of URL 'user_sessions:session_list' implies a corresponding view that renders the vulnerable template. The high confidence comes from the direct template modification in the patch and test updates verifying session key removal.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** vi*ws provi*** *y *j*n*o-us*r-s*ssions *llow us*rs to t*rmin*t* sp**i*i* s*ssions. T** s*ssion k*y is us** to i**nti*y s*ssions, *n* t*us in*lu*** in t** r*n**r** *TML. In its*l* t*is is not * pro*l*m. *ow*v*r i* t** w**sit* **s *n XSS

Reasoning

T** vuln*r**ility st*ms *rom s*ssion k*ys **in* r*n**r** in *TML t*mpl*t*s. T** k*y *vi**n** is in t** *ommit *i** s*owin* r*mov*l o* s*ssion_k*y r***r*n**s *rom s*ssion_list.*tml. T** vi*w r*sponsi*l* *or r*n**rin* t*is t*mpl*t* (lik*ly * ListVi*w s

6.5

Basic Information

Concerned about an active attack path?

CVE-2020-5224: Session key exposure through session list in Django User Sessions

Impact

Patches

Workarounds

References

For more information

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI