Description
QuickCMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID
for a victim and later hijack the authenticated session.

This issue was fixed in a patch to version 6.8 published on 15.05.2026, deployments without this patch are still vulnerable.
Published: 2026-05-29
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

QuickCMS allows a user’s session identifier to be set before authentication. The value of this session ID remains unchanged after the user logs in, enabling an attacker to fix a session ID for a victim and subsequently hijack the authenticated session. This flaw can compromise the confidentiality and integrity of user sessions without providing direct remote code execution or denial of service. The weakness is categorized as CWE-384, Session Fixation.

Affected Systems

The vulnerability affects deployments of OpenSolution QuickCMS that have not applied the patch released on 15.05.2026. The patch addresses the flaw in version 6.8, so any instance running a version earlier than 6.8 is considered vulnerable. No further version granularity is provided, so system administrators should verify that QuickCMS is at least 6.8 or later.

Risk and Exploitability

With a CVSS score of 4.8, the risk is considered medium. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is web-based; an adversary may set a session ID via a crafted URL or cookie before the victim authenticates. Because session identifiers persist across authentication, the attacker can later use the same ID to impersonate the legitimate user.

Generated by OpenCVE AI on May 29, 2026 at 17:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade QuickCMS to version 6.8 or later, as released on 15.05.2026.
  • Verify that session identifiers cannot be set or modified prior to authentication by testing a fresh session flow.
  • Implement monitoring of session activity for signs of hijacking, such as repeated logins from the same session ID from different IP addresses or devices.

Generated by OpenCVE AI on May 29, 2026 at 17:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Opensolution
Opensolution quick.cms
Vendors & Products Opensolution
Opensolution quick.cms

Fri, 29 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description QuickCMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. This issue was fixed in a patch to version 6.8 published on 15.05.2026, deployments without this patch are still vulnerable.
Title Session Fixation in QuickCMS
Weaknesses CWE-384
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Opensolution Quick.cms
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-05-29T17:31:52.144Z

Reserved: 2026-03-19T10:45:47.735Z

Link: CVE-2026-33384

cve-icon Vulnrichment

Updated: 2026-05-29T17:31:49.345Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T16:16:25.417

Modified: 2026-05-29T16:29:11.350

Link: CVE-2026-33384

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T17:45:04Z

Weaknesses