AltumCode 66biolinks Session Fixation Vulnerability

A session fixation vulnerability exists in AltumCode 66biolinks version 62.0.0. The issue arises because the application fails to regenerate the session identifier after successful authentication. This oversight allows the same session cookie value to be reused for users logging in from the same browser. Consequently, an attacker who can set or predict a session ID may hijack an authenticated session.

Impact

Exploitation of this vulnerability allows for session hijacking, where an attacker can take over a user's session, potentially leading to unauthorized access and account compromise.

Reproduction

To reproduce this vulnerability, log into the application as a user. After authentication, note the session ID assigned to that user. Then, log in as a different user from the same browser. The new user will receive the same session ID as the first, demonstrating the session fixation flaw.

Remediation

It is recommended to regenerate session IDs upon login to ensure that each authenticated session is unique. Additionally, pre-authentication sessions should be invalidated.