Description
Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can append arbitrary session id that will not be invalidated by subsequent authentication.
Remediation
References
Related Vulnerabilities
MongoDb Improper Encoding or Escaping of Output Vulnerability (CVE-2021-20333)
Oracle Database Server CVE-2014-4299 Vulnerability (CVE-2014-4299)
MySQL CVE-2016-0503 Vulnerability (CVE-2016-0503)
WordPress Plugin Availability Calendar SQL Injection (1.2)
MediaWiki Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-8810)