|Topic||Session Fixation in Guardian/CMC before 22.6.2|
|CWE Impact||CWE-384: Session Fixation|
|Affects||Guardian, CMC < v22.6.2|
|CVE Risk Level||Medium|
|Risk Level for Nozomi customers||Medium|
In certain conditions, depending on timing and the usage of the Chrome web browser, Guardian/CMC versions before 22.6.2 do not always completely invalidate the user session upon logout. Thus an authenticated local attacker may gain acces to the original user's session.
Guardian, CMC < v22.6.2
Adopt best practices that include closing the browser after a logout.
Upgrade to v22.6.2, v23.0.0 or later.
We thank the following parties for their efforts: