CVE Vulnerabilities

CVE-2017-12965

Session Fixation

Published: Aug 23, 2017 | Modified: May 06, 2019
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
7.5 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu

Session fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID parameter.

Weakness

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Affected Software

Name Vendor Start Version End Version
Apache2triad Apache2triad 1.5.4 1.5.4

Extended Description

Such a scenario is commonly observed when:

Potential Mitigations

References