CVE-2009-3585
published 2009-12-02CVE-2009-3585: Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3.0.0 through 3.6.9 and 3.8.x through 3.8.5 allows remote…
PriorityP425medium5.8CVSS 2.0
AVNACMAuNCPIPAN
EPSS
2.74%
84.3th percentile
Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3.0.0 through 3.6.9 and 3.8.x through 3.8.5 allows remote attackers to hijack web sessions by setting the session identifier via a manipulation that leverages a second web server within the same domain.
Affected
40 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
CVSS provenance
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
vendor_redhat5.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qwm4-r696-wpp8: Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3
ghsa_unreviewed·2022-05-02
CVE-2009-3585 [MEDIUM] CWE-287 GHSA-qwm4-r696-wpp8: Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3
Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3.0.0 through 3.6.9 and 3.8.x through 3.8.5 allows remote attackers to hijack web sessions by setting the session identifier via a manipulation that leverages a second web server within the same domain.
GHSA
GHSA-pcr4-mc8q-h9h5: Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3
ghsa_unreviewed·2022-05-02·CVSS 5.8
CVE-2009-4151 [MEDIUM] CWE-287 GHSA-pcr4-mc8q-h9h5: Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3
Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3.0.0 through 3.6.9 and 3.8.x through 3.8.5 allows remote attackers to hijack web sessions by setting the session identifier via a manipulation that leverages "HTTP access to the RT server," a related issue to CVE-2009-3585.
Red Hat
rt3: web sessions hijack
vendor_redhat·2009-11-20·CVSS 5.8
CVE-2009-4151 [MEDIUM] rt3: web sessions hijack
rt3: web sessions hijack
Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3.0.0 through 3.6.9 and 3.8.x through 3.8.5 allows remote attackers to hijack web sessions by setting the session identifier via a manipulation that leverages "HTTP access to the RT server," a related issue to CVE-2009-3585.
Red Hat
rt3: session hijack
vendor_redhat·2009-11-20·CVSS 5.8
CVE-2009-3585 [MEDIUM] rt3: session hijack
rt3: session hijack
Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3.0.0 through 3.6.9 and 3.8.x through 3.8.5 allows remote attackers to hijack web sessions by setting the session identifier via a manipulation that leverages a second web server within the same domain.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2009-3585 rt3: session hijack
bugzilla·2009-12-04·CVSS 5.8
CVE-2009-3585 [MEDIUM] CVE-2009-3585 rt3: session hijack
CVE-2009-3585 rt3: session hijack
Clone bug for el5. I'll take care about the FC10-rawhide versions, but will not touch RHEL5.
+++ This bug was initially created as a clone of Bug #543977 +++
This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected Fedora versions.
For comments that are specific to the vulnerability please use bugs filed against "Security Response" product referenced in "Blocks" field.
bug #543962:
CVE-2009-3585 rt3: session hijack
When creating a Bodhi update request, please include the bug IDs of the respective parent bugs filed against the "Security Response" product. Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.o
Bugzilla
CVE-2009-4151 rt3: web sessions hijack
bugzilla·2009-12-03·CVSS 5.8
CVE-2009-4151 [MEDIUM] CVE-2009-4151 rt3: web sessions hijack
CVE-2009-4151 rt3: web sessions hijack
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4151 to
the following vulnerability:
Session fixation vulnerability in html/Elements/SetupSessionCookie in
Best Practical Solutions RT 3.0.0 through 3.6.9 and 3.8.x through
3.8.5 allows remote attackers to hijack web sessions by setting the
session identifier via a manipulation that leverages "HTTP access to
the RT server," a related issue to CVE-2009-3585.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4151
http://lists.bestpractical.com/pipermail/rt-announce/2009-November/000177.html
http://lists.bestpractical.com/pipermail/rt-announce/2009-November/000176.html
http://bestpractical.typepad.com/files/rt-3.0.0-session_fixation.v3.patch
http://bestpractical.type
Bugzilla
CVE-2009-3585 rt3: session hijack
bugzilla·2009-12-03·CVSS 5.8
CVE-2009-3585 [MEDIUM] CVE-2009-3585 rt3: session hijack
CVE-2009-3585 rt3: session hijack
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3585 to
the following vulnerability:
Session fixation vulnerability in html/Elements/SetupSessionCookie in
Best Practical Solutions RT 3.0.0 through 3.6.9 and 3.8.x through
3.8.5 allows remote attackers to hijack web sessions by setting the
session identifier via a manipulation that leverages a second web
server within the same domain.
References:
http://lists.bestpractical.com/pipermail/rt-announce/2009-November/000177.html
http://lists.bestpractical.com/pipermail/rt-announce/2009-November/000176.html
http://bestpractical.typepad.com/files/rt-3.0.0-session_fixation.v3.patch
http://bestpractical.typepad.com/files/rt-3.0.1-3.0.6-session_fixation.v3.patch
http://bestpractical.typepad.com
http://bestpractical.typepad.com/files/rt-3.0.0-session_fixation.v3.patchhttp://bestpractical.typepad.com/files/rt-3.0.1-3.0.6-session_fixation.v3.patchhttp://bestpractical.typepad.com/files/rt-3.0.7-3.6.1-session_fixation.v3.patchhttp://bestpractical.typepad.com/files/rt-3.6.2-3.6.3-session_fixation.v3.patchhttp://bestpractical.typepad.com/files/rt-3.6.4-3.6.9-session_fixation.v2.patchhttp://bestpractical.typepad.com/files/rt-3.8-session_fixation.patchhttp://blog.bestpractical.com/2009/11/session-fixation-vulnerability.htmlhttp://lists.bestpractical.com/pipermail/rt-announce/2009-November/000176.htmlhttp://lists.bestpractical.com/pipermail/rt-announce/2009-November/000177.htmlhttp://secunia.com/advisories/37546http://secunia.com/advisories/37728http://www.securityfocus.com/bid/37162https://exchange.xforce.ibmcloud.com/vulnerabilities/54472https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00761.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-December/msg00794.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-December/msg00832.htmlhttp://bestpractical.typepad.com/files/rt-3.0.0-session_fixation.v3.patchhttp://bestpractical.typepad.com/files/rt-3.0.1-3.0.6-session_fixation.v3.patchhttp://bestpractical.typepad.com/files/rt-3.0.7-3.6.1-session_fixation.v3.patchhttp://bestpractical.typepad.com/files/rt-3.6.2-3.6.3-session_fixation.v3.patchhttp://bestpractical.typepad.com/files/rt-3.6.4-3.6.9-session_fixation.v2.patchhttp://bestpractical.typepad.com/files/rt-3.8-session_fixation.patchhttp://blog.bestpractical.com/2009/11/session-fixation-vulnerability.htmlhttp://lists.bestpractical.com/pipermail/rt-announce/2009-November/000176.htmlhttp://lists.bestpractical.com/pipermail/rt-announce/2009-November/000177.htmlhttp://secunia.com/advisories/37546http://secunia.com/advisories/37728http://www.securityfocus.com/bid/37162https://exchange.xforce.ibmcloud.com/vulnerabilities/54472https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00761.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-December/msg00794.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-December/msg00832.html
2009-12-02
Published