Session Fixation in Quick.Cart_CVE-2026-23796

4.8 / 10

MEDIUM

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Description

Quick.Cart allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID
for a victim and later hijack the authenticated session.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

Basic Information

ID CVE-2026-23796

Source CERT-PL

Published Feb 5, 2026 at 11:07

Affected Product

Vendor OpenSolution

Product Quick.Cart

Version 6.7

Affected Versions OpenSolution Quick.Cart 6.7

CWE Classification

CWE-384

References

{
    "lastseen": "",
    "description": "Quick.Cart allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication.\u00a0This behaviour enables an attacker to fix a session ID\nfor a victim and later hijack the authenticated session.\n\nThe vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.",
    "published": "2026-02-05T11:07:59.954Z",
    "modified": "2026-02-05T11:07:59.954Z",
    "type": "cve",
    "title": "Session Fixation in Quick.Cart",
    "source": "CERT-PL",
    "references": "https://opensolution.org/sklep-internetowy-quick-cart.html\nhttps://cert.pl/posts/2026/02/CVE-2026-23796",
    "id": "CVE-2026-23796",
    "bulletinFamily": "",
    "cwe": [
        "CWE-384"
    ],
    "cvelist": null,
    "sourceData": "OpenSolution Quick.Cart 6.7",
    "sourceHref": "",
    "cvss": {
        "score": 4.8,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Quick.Cart",
    "version": "6.7",
    "vendor": "OpenSolution",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}