CVE-2026-33384
Session Fixation in QuickCMS
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: CERT.PL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| quickcms | quickcms | 6.8 |
| quickcms | quickcms | to 6.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-384 | Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in QuickCMS is a Session Fixation attack. It allows an attacker to set a user's session identifier before the user authenticates. The session ID remains the same after the user logs in, enabling the attacker to fix a session ID for the victim and later hijack the authenticated session.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to hijack a victim's authenticated session by fixing the session ID before login. This means the attacker can gain unauthorized access to the victim's account and perform actions with the victim's privileges.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update QuickCMS to version 6.8 or later, as the issue was fixed in the patch published on 15.05.2026.
Systems running versions older than 6.8 remain vulnerable and should be upgraded as soon as possible to prevent session fixation attacks.