Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before 6.3, when contributed modules terminate the current request during a login event, allows remote attackers to hijack web sessions via unknown vectors.
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Drupal | Drupal | 5.0 (including) | 5.9 (excluding) |
Drupal | Drupal | 6.0 (including) | 6.3 (excluding) |
Such a scenario is commonly observed when: