Vulnerabilities (CVE)

Filtered by vendor Aio-libs Subscribe

Filtered by product Aiohttp Session

Total 2 CVE

CVE	Vendors	Products	Updated	CVSS v2	CVSS v3
CVE-2018-1000519	1 Aio-libs	1 Aiohttp Session	2025-07-11	4.3 MEDIUM	6.5 MEDIUM
aio-libs aiohttp-session contains a Session Fixation vulnerability in load_session function for RedisStorage (see: https://github.com/aio-libs/aiohttp-session/blob/master/aiohttp_session/redis_storage.py#L42) that can result in Session Hijacking. This attack appear to be exploitable via Any method that allows setting session cookies (?session=<>, or meta tags or script tags with Set-Cookie).
CVE-2018-1000814	1 Aio-libs	1 Aiohttp Session	2025-03-14	4.0 MEDIUM	6.5 MEDIUM
aio-libs aiohttp-session version 2.6.0 and earlier contains a Other/Unknown vulnerability in EncryptedCookieStorage and NaClCookieStorage that can result in Non-expiring sessions / Infinite lifespan. This attack appear to be exploitable via Recreation of a cookie post-expiry with the same value.