CVE-2025-8517
BaseFortify
Publication date: 2025-08-04
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vvveb | vvveb | to 1.0.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-384 | Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8517 is a critical session fixation vulnerability in Vvveb CMS version 1.0.6.1. The issue occurs because the application fails to generate a new session identifier (PHPSESSID) upon successful user login. This allows an attacker to fixate a session ID by setting a known session ID value before the victim logs in. When the victim authenticates, the session ID remains the same, enabling the attacker to hijack the authenticated session and gain full access, including administrative privileges. There are two attack variants: one using a server-issued session ID and a more severe one where the attacker supplies an arbitrary session ID string that the server accepts. The root cause is the absence of session ID regeneration after login, violating proper session management practices. [1, 4, 6]
How can this vulnerability impact me? :
This vulnerability can lead to complete account takeover by an attacker who hijacks authenticated user sessions. The attacker can gain unauthorized access to user or administrator accounts, compromising confidentiality, integrity, and availability of the system. This may result in data compromise, creation of persistent backdoors via new admin accounts, uploading malicious files or web shells, and full control over the affected application. The attack can be performed remotely with low complexity, making it relatively easy to exploit. [1, 2, 6]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Vvveb CMS version 1.0.6.1 or earlier is in use and verifying whether the session ID is regenerated after user login. A practical detection method involves attempting to fixate a session ID by setting a PHPSESSID cookie before login and observing if the session ID remains the same after authentication. If the session ID does not change, the system is vulnerable. There are no specific network commands provided, but manual testing with browser developer tools or intercepting HTTP requests to observe session cookie behavior can be used. For example, using curl or browser tools to set a fixed PHPSESSID cookie and then logging in to see if the session ID changes. No direct commands are provided in the resources. [4, 6]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Vvveb CMS to version 1.0.7, which includes a patch that regenerates the session ID immediately after successful user or admin login, preventing session fixation attacks. If upgrading is not immediately possible, a temporary fix involves modifying the login functions to call PHP's session_regenerate_id(true) right after setting the session data, ensuring a new session ID is generated post-authentication. This prevents attackers from hijacking sessions by fixing session IDs. Additionally, ensure that session management properly invalidates old session IDs upon login. [2, 3, 4, 6]