Vulnerability Database

296,853

Total vulnerabilities in the database

CVE-2025-64100

Impact

Session ids could be fixed by an attacker if the site is configured with server-side session storage (CKAN uses cookie-based session storage by default). The attacker would need to either set a cookie on the victim's browser or steal the victim's currently valid session. Session identifiers are now regenerated after each login.

Patches

This vulnerability has been fixed in CKAN 2.10.9 and 2.11.4

References

https://en.wikipedia.org/wiki/Session_fixation

CVSS v3:

  • Severity: Unknown
  • Score:
  • AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

CWEs:

OWASP TOP 10:

Software From Fixed in
Python icon ckan 2.10.0 2.10.9
Python icon ckan 2.11.0 2.11.4