CVE-2014-10399
Description
The session.lua library in CGILua 5.1.x uses the same ID for each session, which allows remote attackers to hijack arbitrary sessions. NOTE: this vulnerability was SPLIT from CVE-2014-2875.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CGILua 5.1.x session.lua uses a static session ID, enabling remote attackers to hijack arbitrary sessions.
Vulnerability
The session.lua library in CGILua 5.1.x (2007–2010) contains a bug that causes it to generate the same session ID for every session [1]. This makes the library effectively unusable for secure session management, as all sessions share an identical identifier.
Exploitation
An attacker can simply use the fixed session ID to impersonate any user. No authentication or special network position is required; the attacker only needs to know the predictable ID (which is the same for all sessions) and can then hijack any active session [1].
Impact
Successful exploitation allows remote attackers to hijack arbitrary user sessions, gaining unauthorized access to the victim's authenticated web application context. This can lead to disclosure of sensitive information or unauthorized actions performed under the victim's identity [1].
Mitigation
No official patch has been released for CGILua 5.1.x. The vendor was informed but the vulnerability remains unpatched [1]. Users should avoid using the session.lua library from this version and consider upgrading to a later release with proper session ID generation, or implement a custom session management mechanism.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- CGILua/session.lua librarydescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- seclists.org/fulldisclosure/2014/Apr/318mitrex_refsource_MISC
- www.securityfocus.com/archive/1/531981/100/0/threadedmitrex_refsource_MISC
- www.syhunt.com/en/index.phpmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.