Description
A flaw has been found in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. This impacts the function session_start of the file /login-form.php. Executing a manipulation of the argument UserAuthData can lead to session fixiation. The attack can be launched remotely. The exploit has been published and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-06-05
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability has been identified in tittuvarghese CollegeManagementSystem. The flaw allows an attacker to manipulate the UserAuthData input during a session_start call in /login-form.php, enabling session fixation. This code weakness, classified as CWE‑384, permits an adversary to bind a session identifier to an authenticated user until they log in, potentially compromising confidentiality and integrity of user sessions. The impact is that an attacker could hijack legitimate sessions without needing to guess credentials.

Affected Systems

The affected product is tittuvarghese CollegeManagementSystem, version unspecified as the project does not use formal versioning. The vulnerability exists within the login-form.php routine that initiates sessions. Because no version control is present, all deployments of the current code base are potentially impacted until the code is patched or the application is updated.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity and the absence of an EPSS rating leaves the likelihood of exploitation uncertain. The vulnerability is exploitable from a remote context, with publicly available exploit code; it has not yet been listed in the CISA KEV catalog. An attacker who can unauthenticatedly submit crafted UserAuthData may successfully fix the session ID and hijack a session, but only if session fixation is not mitigated by proper session regeneration and cookie handling.

Generated by OpenCVE AI on June 5, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Modify /login-form.php so that after successful authentication the code calls session_regenerate_id(true) to replace the session identifier immediately.
  • Configure PHP session cookie parameters to enforce HttpOnly, Secure, and SameSite=Strict flags, ensuring the cookie cannot be accessed via client‑side scripts and is only sent over HTTPS.
  • Before calling session_start() remove any pre‑existing session cookie submitted by the client to eliminate the possibility that an attacker’s session ID is accepted into the server’s session store.

Generated by OpenCVE AI on June 5, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description A flaw has been found in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. This impacts the function session_start of the file /login-form.php. Executing a manipulation of the argument UserAuthData can lead to session fixiation. The attack can be launched remotely. The exploit has been published and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
Title tittuvarghese CollegeManagementSystem login-form.php session_start session fixiation
First Time appeared Tittuvarghese
Tittuvarghese collegemanagementsystem
Weaknesses CWE-384
CPEs cpe:2.3:a:tittuvarghese:collegemanagementsystem:*:*:*:*:*:*:*:*
Vendors & Products Tittuvarghese
Tittuvarghese collegemanagementsystem
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tittuvarghese Collegemanagementsystem
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-05T15:28:07.914Z

Reserved: 2026-06-05T08:10:04.886Z

Link: CVE-2026-11335

cve-icon Vulnrichment

Updated: 2026-06-05T15:28:04.481Z

cve-icon NVD

Status : Deferred

Published: 2026-06-05T15:16:51.540

Modified: 2026-06-05T16:04:48.437

Link: CVE-2026-11335

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T15:30:13Z

Weaknesses