CVE-2008-3222

EPSS 1.06%
Veröffentlicht 18.07.2008 16:41:00
Zuletzt bearbeitet 09.04.2025 00:30:58
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before 6.3, when contributed modules "terminate the current request during a login event," allows remote attackers to hijack web sessions via unknown vectors.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 15

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Drupal ≫ Drupal Version >= 5.0 < 5.9

Drupal ≫ Drupal Version >= 6.0 < 6.3

Fedoraproject ≫ Fedora Version8

Fedoraproject ≫ Fedora Version9

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.06%	0.769

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.8	8.6	4.9	AV:N/AC:M/Au:N/C:P/I:P/A:N

CWE-384 Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

http://drupal.org/node/280571

Patch

Vendor Advisory

http://secunia.com/advisories/31079

Third Party Advisory

http://www.openwall.com/lists/oss-security/2008/07/10/3

Third Party Advisory

Mailing List

http://www.securityfocus.com/bid/30168

Patch

Third Party Advisory

VDB Entry