Miggo Logo

CVE-2020-5224: Session key exposure through session list in Django User Sessions

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.33419%
Published
1/24/2020
Updated
9/16/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
django-user-sessionspip< 1.7.11.7.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from session keys being rendered in HTML templates. The key evidence is in the commit diff showing removal of session_key references from session_list.html. The view responsible for rendering this template (likely a ListView subclass) and the template itself both contributed to the exposure. While no specific view function is shown in diffs, Django's pattern of URL 'user_sessions:session_list' implies a corresponding view that renders the vulnerable template. The high confidence comes from the direct template modification in the patch and test updates verifying session key removal.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** vi*ws provi*** *y *j*n*o-us*r-s*ssions *llow us*rs to t*rmin*t* sp**i*i* s*ssions. T** s*ssion k*y is us** to i**nti*y s*ssions, *n* t*us in*lu*** in t** r*n**r** *TML. In its*l* t*is is not * pro*l*m. *ow*v*r i* t** w**sit* **s *n XSS

Reasoning

T** vuln*r**ility st*ms *rom s*ssion k*ys **in* r*n**r** in *TML t*mpl*t*s. T** k*y *vi**n** is in t** *ommit *i** s*owin* r*mov*l o* s*ssion_k*y r***r*n**s *rom s*ssion_list.*tml. T** vi*w r*sponsi*l* *or r*n**rin* t*is t*mpl*t* (lik*ly * ListVi*w s