CVE-2020-36913
Session Fixation in All-Dynamics enlogic:show 2.0.2 Enables Authentication Bypass
Publication date: 2026-01-06
Last updated on: 2026-01-06
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| all-dynamics_software | enlogic | show |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-384 | Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2020-36913 is a session fixation vulnerability in All-Dynamics Software enlogic:show version 2.0.2. It allows attackers to set a predefined PHP session identifier during the login process by forging HTTP GET requests to the welcome.php page with a manipulated session token. This enables attackers to bypass authentication and potentially perform cross-site request forgery (CSRF) attacks. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow attackers to bypass authentication mechanisms, leading to unauthorized access. Attackers can fix a session ID and trick users into using it, enabling privilege escalation and further attacks such as cross-site request forgery (CSRF) and potentially cross-site scripting. This compromises the security of the affected system and can lead to unauthorized actions performed on behalf of legitimate users. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP GET requests to the welcome.php page for manipulated or predefined PHP session identifiers in the URL parameters. Specifically, look for session fixation attempts where the PHP session ID is set via GET requests during the login process. Network traffic inspection tools or web server logs can be used to identify such suspicious requests. While no specific commands are provided, using tools like curl or wget to simulate requests with fixed PHP session IDs to welcome.php, or using web application scanners that detect session fixation vulnerabilities, can help detect this issue. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the enlogic:show software to version 2.0.3 (Build 2102) or later, as this version addresses and fixes the session fixation vulnerability. Additionally, avoid using manipulated session tokens in URLs and ensure that session identifiers are securely managed and regenerated upon login to prevent session fixation attacks. [1, 2]