CVE-2026-11335
Description
Session fixation in CollegeManagementSystem's login-form.php allows attackers to hijack user sessions after authentication.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Session fixation in CollegeManagementSystem's login-form.php allows attackers to hijack user sessions after authentication.
Vulnerability
A session fixation vulnerability exists in the login-form.php script of tittuvarghese CollegeManagementSystem, specifically within the session_start() function. The application fails to regenerate the session identifier after a user successfully logs in. This flaw affects all versions of the software as it does not implement versioning.
Exploitation
An attacker can exploit this vulnerability by first obtaining a valid session ID, either by visiting the site or by setting an arbitrary PHPSESSID cookie. The attacker then tricks a victim into using this predetermined session ID, for example, by crafting a malicious link or instructing the victim to set the cookie. When the victim logs in, the server associates the authentication data with the attacker's fixed session ID. Subsequently, the attacker can use this same session ID to access the victim's authenticated session.
Impact
Upon successful exploitation, an attacker can hijack a victim's authenticated session, gaining full access to the victim's account and any associated data or functionality. This can lead to account takeover and unauthorized access to sensitive information, depending on the privileges of the compromised user.
Mitigation
No patched version has been released, and the project has not responded to the issue report [1]. As the product does not use versioning, information about affected and unaffected releases is unavailable. There are no known workarounds or official mitigations at this time.
AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application fails to regenerate the session identifier after a successful login, allowing an attacker to fixate a session ID."
Attack vector
An attacker can obtain a valid session ID by visiting the site or by setting an arbitrary PHPSESSID cookie in a victim's browser. The attacker then tricks the victim into authenticating with this fixed session ID. After the victim logs in, the attacker reuses the same session ID to access the victim's account, as the session ID remains unchanged [ref_id=1]. This attack can be launched remotely.
Affected code
The vulnerability exists in the `login-form.php` file, specifically around lines 3-47. The function `session_start()` is called, and authentication data is stored in the existing session without regenerating the session ID. The code snippet provided shows `session_start();` followed by `$_SESSION['UserAuthData']=$UserAuthData;` and `header('Location: dashboard.php');` [ref_id=1].
What the fix does
The advisory indicates that the application initializes a session with session_start() but fails to regenerate the session identifier after a successful login using session_regenerate_id(true). The recommended remediation is to call session_regenerate_id(true) after a successful login to prevent session fixation. The project has been informed but has not yet responded, and no patch is available.
Preconditions
- networkThe attacker can reach the login form remotely.
- inputThe attacker can manipulate the UserAuthData argument or set a PHPSESSID cookie.
- authThe attacker does not need to steal credentials, only trick a victim into authenticating with a fixed session ID.
Reproduction
Step 1 – Attacker uses a predetermined session ID and triggers a login (this could be done by the victim directly, or the attacker can send a pre‑authenticated link): POST /login-form.php HTTP/1.1 Host: 127.0.0.1:3000 Cookie: PHPSESSID=aaaaaaaaaaaaaaaaaaaaaaaaaa Content-Type: application/x-www-form-urlencoded login-email=tittuhpd%40gmail.com&login-password=123456789&login-role=admin&login-submit=1 Response (no Set-Cookie header, the session ID remains unchanged): HTTP/1.1 302 Found Location: dashboard.php ... Step 2 – Attacker accesses the dashboard with the same session ID: GET /dashboard.php HTTP/1.1 Host: 127.0.0.1:3000 Cookie: PHPSESSID=aaaaaaaaaaaaaaaaaaaaaaaaaa Response: HTTP/1.1 200 OK ... <a href="#" class="dropdown-toggle" ...>Tittu Varghese ... The page displays the authenticated user’s name, confirming the session has been hijacked. [ref_id=1]
Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.