CVE-2009-3585 — Improper Authentication in RT

CWE-287 — Improper Authentication9 documents4 sources

Severity

5.8MEDIUMNVD

EPSS

0.4%

top 38.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Bestpractical RT

Timeline

PublishedDec 2

Latest updateMay 2

Description

Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3.0.0 through 3.6.9 and 3.8.x through 3.8.5 allows remote attackers to hijack web sessions by setting the session identifier via a manipulation that leverages a second web server within the same domain.

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 8.6 | Impact: 4.9

Affected Packages1 packages

▶NVDbestpractical/rt40 versions+39

Patches

Patch: lists.bestpractical.com ↗Patch: lists.bestpractical.com ↗Patch: lists.bestpractical.com ↗

🔴Vulnerability Details

GHSA

GHSA-qwm4-r696-wpp8: Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3↗2022-05-02

▶

GHSA

GHSA-pcr4-mc8q-h9h5: Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3↗2022-05-02

▶

📋Vendor Advisories

Red Hat

rt3: web sessions hijack↗2009-11-20

▶

Red Hat

rt3: session hijack↗2009-11-20

▶

💬Community

Bugzilla

CVE-2009-3585 rt3: session hijack↗2009-12-04

▶

Bugzilla

CVE-2009-4151 rt3: web sessions hijack↗2009-12-03

▶

Bugzilla

CVE-2009-3585 rt3: session hijack↗2009-12-03

▶