CVE-2024-24552

Bludit is Vulnerable to Session Fixation

Description

A session fixation vulnerability in Bludit allows an attacker to bypass the server's authentication if they can trick an administrator or any other user into authorizing a session ID of their choosing.

Remediation

Solution:

  • See OWASP Session Management Cheatsheet: The session ID must be renewed or regenerated by the web application after any privilege level change within the associated user session. The most common scenario where the session ID regeneration is mandatory is during the authentication process, as the privilege level of the user changes from the unauthenticated (or anonymous) state to the authenticated state though in some cases still not yet the authorized state. Common scenarios to consider include; password changes, permission changes, or switching from a regular user role to an administrator role within the web application. For all sensitive pages of the web application, any previous session IDs must be ignored, only the current session ID must be assigned to every new request received for the protected resource, and the old or previous session ID must be destroyed.

Category

5.6
CVSS
Severity: Medium
CVSS 4.0 •
EPSS 0.10%
Affected: Bludit Bludit
Published at:
Updated at:

References

Link Tags
https://www.redguard.ch/blog/2024/06/20/security-advisory-bludit/

Frequently Asked Questions

What is the severity of CVE-2024-24552?
CVE-2024-24552 has been scored as a medium severity vulnerability.
How to fix CVE-2024-24552?
To fix CVE-2024-24552: See OWASP Session Management Cheatsheet: The session ID must be renewed or regenerated by the web application after any privilege level change within the associated user session. The most common scenario where the session ID regeneration is mandatory is during the authentication process, as the privilege level of the user changes from the unauthenticated (or anonymous) state to the authenticated state though in some cases still not yet the authorized state. Common scenarios to consider include; password changes, permission changes, or switching from a regular user role to an administrator role within the web application. For all sensitive pages of the web application, any previous session IDs must be ignored, only the current session ID must be assigned to every new request received for the protected resource, and the old or previous session ID must be destroyed.
Is CVE-2024-24552 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-24552 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-24552?
CVE-2024-24552 affects Bludit Bludit.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.