CVE-2020-27198 ESP Session Hijack due to common credentials
Kemp Reference PD-15788
Where multiple users share credential properties, a vulnerability in the handling of User Sessions in LoadMaster Edge Security Pack (ESP) could enable one authenticated user to inadvertently take over another authenticated user's session.
Where two users share credential properties including a specific matching portion of the username as well as the same password, simultaneous logins can result in one user accessing the other user's session. This could result in data being inadvertently accessed by a user.
The following products are affected by this vulnerability:
LoadMasters utilising ESP running LMOS versions 7.2.51, 7.2.50, 126.96.36.199 using Client-Side Forms Based Authentication
Not affected :
LoadMasters not utilising Edge Security Pack (ESP)
LoadMasters utilizing ESP but not using Client-Side Forms Based Authentication
LoadMasters running LMOS version 188.8.131.52 or lower
LoadMasters running LMOS version LMOS 184.108.40.206+(LTS) LMOS 7.2.52+(GA)
If you are utilising ESP and using Client-Side Forms Based Authentication while running LMOS versions 7.2.51, 7.2.50 or 220.127.116.11, please upgrade the LoadMaster Firmware to 7.2.53 (General Availability Release) or 18.104.22.168 (Long Term Stable Release).