The views provided by django-user-sessions allow users to terminate specific sessions. The session key is used to identify sessions, and thus included in the rendered HTML. In itself this is not a problem. However if the website has an XSS vulnerability, the session key could be extracted by the attacker and a session takeover could happen.
Patch is under way.
Remove the session_key from the template.
None.
If you have any questions or comments about this advisory: * Open an issue in Bouke/django-user-sessions * Email us at bouke@haarsma.eu
{ "nvd_published_at": null, "cwe_ids": [ "CWE-287" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2020-01-24T19:56:37Z" }