Tribal Systems Zenario CMS Remember Me session fixiation

Vulnerability

CVE-2022-4231 describes a session fixation vulnerability in Tribal Systems Zenario CMS version 9.3.57595. The flaw resides in the Remember Me Handler, where the session identifier (PHPSESSID-Zenario) is not regenerated after a user logs out and logs back in when the "Remember me" option is active [1][2]. This allows an attacker to force a known session ID onto a victim and then wait for the victim to authenticate, thereby hijacking the session.

Exploitation

An attacker can remotely exploit this issue without authentication. By tricking a user into using a pre-set session ID (e.g., via a crafted link or by setting the cookie), the attacker can then monitor that session. When the victim logs in with the "Remember me" option, the session ID remains unchanged, giving the attacker access to the authenticated session [2]. The exploit has been publicly disclosed, increasing the risk of active attacks.

Impact

Successful exploitation enables an attacker to gain unauthorized access to the victim's authenticated session, potentially leading to account takeover and access to sensitive data or administrative functions within the CMS [1].

Mitigation

As of the publication date, no official patch has been confirmed. Users are advised to disable the "Remember me" feature as a workaround or monitor vendor updates for a fix [1][2].