Vulnerability scanner reports session fixation vulnerability for ICDx 1.4

book

Article ID: 208792

calendar_today

Updated On:

Products

ICDx

Issue/Introduction

A vulnerabillity scan of the ICDx web GUI reports a session fixation vulnerability.

Session fixation allows an attacker to impersonate a user by abusing an authenticated session ID (SID). This attack can occur when a web application:

  • Fails to supply a new, unique SID to a user following a successful authentication
  • Allows a user to provide the SID to be used after authenticating

 

Cause

This is a false positive.

Environment

Release : 1.4

Component : ICDx

Resolution

This is a false positive likely resulting from the structure of the session ID generated by the ICDx web GUI.  All logins generate a unique token and alternate session tokens supplied by the client will not be accepted.