Description
Quick.Cart allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID
for a victim and later hijack the authenticated session.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Published: 2026-02-05
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Session Hijacking via Fixation
Action: Patch Now
AI Analysis

Impact

Quick.Cart allows a user’s session identifier to be set before authentication and preserves that value after login, enabling attackers to predefine a session ID for a victim and later hijack the authenticated session. This flaw, classified as CWE‑384, leads to unauthorized access by masquerading as the victim, potentially exposing confidential data and permitting further malicious actions.

Affected Systems

The affected product is OpenSolution Quick.Cart. Version 6.7 was confirmed vulnerable, and other versions have not been tested but may also share the same issue. No other versions or product variants were mentioned in the vendor notice.

Risk and Exploitability

The vulnerability receives a CVSS score of 4.8, indicating moderate severity. The EPSS value is less than 1 %, suggesting currently low exploitation probability. It is not listed in the CISA KEV catalog. Attackers could exploit the flaw by crafting requests that set a session cookie before authentication, a path typical to web applications that allow cookie manipulation. Because no patch is publicly available, the risk remains unless mitigated by configuration changes.

Generated by OpenCVE AI on April 17, 2026 at 23:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Ensure the application regenerates the session ID upon successful authentication so that any pre‑auth session token is invalidated.
  • If a vendor patch for Quick.Cart 6.7 is released, apply it immediately.
  • Until a patch is available, block or filter requests that set a session ID before authentication using a web‑application firewall or server‑side validation.
  • As a temporary measure, invalidate all existing sessions at the time of user login to reduce the window of opportunity for hijacking.
  • Update your monitoring to detect repeated attempts to bind a session ID pre‑authentication and alert administrators.

Generated by OpenCVE AI on April 17, 2026 at 23:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:opensolution:quick.cart:6.7:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 06 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Opensolution
Opensolution quick.cart
Vendors & Products Opensolution
Opensolution quick.cart

Thu, 05 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 11:30:00 +0000

Type Values Removed Values Added
Description Quick.Cart allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Title Session Fixation in Quick.Cart
Weaknesses CWE-384
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Opensolution Quick.cart
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-02-05T14:19:55.348Z

Reserved: 2026-01-16T13:19:49.040Z

Link: CVE-2026-23796

cve-icon Vulnrichment

Updated: 2026-02-05T14:19:50.281Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-05T12:16:01.743

Modified: 2026-02-19T18:31:45.827

Link: CVE-2026-23796

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:15:30Z

Weaknesses