vulnerability
Session Upgrade - Session token not updated after login
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:L/Au:M/C:P/I:N/A:N) | Jan 1, 2016 | Jun 27, 2018 | Jun 27, 2018 |
Severity
4
CVSS
(AV:N/AC:L/Au:M/C:P/I:N/A:N)
Published
Jan 1, 2016
Added
Jun 27, 2018
Modified
Jun 27, 2018
Description
The session ID must be renewed or regenerated by the web application after any privilege level change within the associated user session. The most common scenario where the session ID regeneration is mandatory is during the authentication process, as the privilege level of the user changes from the unauthenticated (or anonymous) state to the authenticated state. Other common scenarios must also be considered, such as password changes, permission changes or switching from a regular user role to an administrator role within the web application.
Solution
sessionupgrade-sessionupgrade-r01
References
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.