CVE-2025-56746
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-15

Last updated on: 2025-10-23

Assigner: MITRE

Description
Creativeitem Academy LMS up to and including 5.13 does not regenerate session IDs upon successful authentication, enabling session fixation attacks where attackers can hijack user sessions by predetermining session identifiers.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-15
Last Modified
2025-10-23
Generated
2026-06-16
AI Q&A
2025-10-15
EPSS Evaluated
2026-06-15
NVD
CVE-2025-56746
EUVD
EUVD-2025-34621
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
creativeitem academy_lms to 5.13 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-384 Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a session fixation issue in Creativeitem Academy LMS versions up to 5.13. The system does not regenerate the session ID after a user successfully logs in. An attacker can set or fix a known session ID for a victim before the victim logs in. Because the session ID remains the same after login, the attacker can hijack the victim's authenticated session and perform unauthorized actions. [1]

Impact Analysis

An attacker can hijack your authenticated session by forcing you to use a predetermined session ID. This allows the attacker to access your account, perform unauthorized actions, and view sensitive data as if they were you. This compromises the confidentiality and integrity of your user session and data. [1]

Detection Guidance

This vulnerability can be detected by verifying if the session ID remains the same before and after user authentication. One way to test this is by using curl commands to capture the session cookie before login and after login to see if it changes. For example, use curl to fetch the login page and extract the session ID, then perform a login POST request with credentials and check if the session ID in the response cookies is the same. If the session ID does not change, the system is vulnerable to session fixation. [1]

Mitigation Strategies

Immediate mitigation steps include regenerating the session ID immediately after successful authentication using functions like session_regenerate_id(true) or CodeIgniter's $this->session->sess_regenerate(true). Additionally, set authenticated session data only after session regeneration. Implement session security configurations such as setting session expiration (e.g., 2 hours), periodic session regeneration (e.g., every 5 minutes), and using Secure and HttpOnly cookie flags. Regularly regenerate session IDs during active sessions and validate session integrity on each request. Destroy sessions on logout to prevent reuse. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-56746. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart