Session Fixation in instantsoft/icms2

Vulnerability

A session fixation vulnerability exists in instantsoft/icms2 prior to version 2.16.1. The application does not regenerate the session identifier upon user login or logout, allowing an attacker to potentially fixate a session ID. The issue affects all versions before the commit [1] which introduces sessionRegenerate() calls in autoLogin, loginComplete, and logout methods, and also sets the secure flag on cookies based on HTTPS protocol.

Exploitation

An attacker can craft a link containing a known session ID (e.g., via URL or cookie), trick a victim into clicking it, and then wait for the victim to authenticate. After the victim logs in, the session ID remains unchanged, allowing the attacker to reuse the same session ID to impersonate the authenticated user [2]. No additional authentication or special network position is required beyond the initial social engineering step.

Impact

Successful exploitation allows the attacker to hijack the authenticated session of the victim, gaining unauthorized access to the victim's account and any associated privileges within the icms2 application. This can lead to full account compromise, including access to sensitive data and administrative functions if the victim has elevated privileges.

Mitigation

The vulnerability is fixed in icms2 version 2.16.1, released concurrently with the commit [1] on 2023-08-31. Users should upgrade to version 2.16.1 or later immediately. No workarounds are documented, and the CVE is not listed on the CISA KEV as of publication date.