CVE-2009-4151
published 2009-12-02CVE-2009-4151: Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3.0.0 through 3.6.9 and 3.8.x through 3.8.5 allows remote…
PriorityP424medium5.8CVSS 2.0
AVNACMAuNCPIPAN
EPSS
1.84%
76.3th percentile
Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3.0.0 through 3.6.9 and 3.8.x through 3.8.5 allows remote attackers to hijack web sessions by setting the session identifier via a manipulation that leverages "HTTP access to the RT server," a related issue to CVE-2009-3585.
Affected
40 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
CVSS provenance
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
vendor_redhat5.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
rt3: web sessions hijack
vendor_redhat·2009-11-20·CVSS 5.8
CVE-2009-4151 [MEDIUM] rt3: web sessions hijack
rt3: web sessions hijack
Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3.0.0 through 3.6.9 and 3.8.x through 3.8.5 allows remote attackers to hijack web sessions by setting the session identifier via a manipulation that leverages "HTTP access to the RT server," a related issue to CVE-2009-3585.
GHSA
GHSA-pcr4-mc8q-h9h5: Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3
ghsa_unreviewed·2022-05-02·CVSS 5.8
CVE-2009-4151 [MEDIUM] CWE-287 GHSA-pcr4-mc8q-h9h5: Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3
Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3.0.0 through 3.6.9 and 3.8.x through 3.8.5 allows remote attackers to hijack web sessions by setting the session identifier via a manipulation that leverages "HTTP access to the RT server," a related issue to CVE-2009-3585.
No detection rules found.
http://bestpractical.typepad.com/files/rt-3.0.0-session_fixation.v3.patchhttp://bestpractical.typepad.com/files/rt-3.0.1-3.0.6-session_fixation.v3.patchhttp://bestpractical.typepad.com/files/rt-3.0.7-3.6.1-session_fixation.v3.patchhttp://bestpractical.typepad.com/files/rt-3.6.2-3.6.3-session_fixation.v3.patchhttp://bestpractical.typepad.com/files/rt-3.6.4-3.6.9-session_fixation.v2.patchhttp://bestpractical.typepad.com/files/rt-3.8-session_fixation.patchhttp://blog.bestpractical.com/2009/11/session-fixation-vulnerability.htmlhttp://lists.bestpractical.com/pipermail/rt-announce/2009-November/000176.htmlhttp://lists.bestpractical.com/pipermail/rt-announce/2009-November/000177.htmlhttp://secunia.com/advisories/37546http://secunia.com/advisories/37728http://www.securityfocus.com/bid/37162https://exchange.xforce.ibmcloud.com/vulnerabilities/54472https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00761.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-December/msg00794.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-December/msg00832.htmlhttp://bestpractical.typepad.com/files/rt-3.0.0-session_fixation.v3.patchhttp://bestpractical.typepad.com/files/rt-3.0.1-3.0.6-session_fixation.v3.patchhttp://bestpractical.typepad.com/files/rt-3.0.7-3.6.1-session_fixation.v3.patchhttp://bestpractical.typepad.com/files/rt-3.6.2-3.6.3-session_fixation.v3.patchhttp://bestpractical.typepad.com/files/rt-3.6.4-3.6.9-session_fixation.v2.patchhttp://bestpractical.typepad.com/files/rt-3.8-session_fixation.patchhttp://blog.bestpractical.com/2009/11/session-fixation-vulnerability.htmlhttp://lists.bestpractical.com/pipermail/rt-announce/2009-November/000176.htmlhttp://lists.bestpractical.com/pipermail/rt-announce/2009-November/000177.htmlhttp://secunia.com/advisories/37546http://secunia.com/advisories/37728http://www.securityfocus.com/bid/37162https://exchange.xforce.ibmcloud.com/vulnerabilities/54472https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00761.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-December/msg00794.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-December/msg00832.html
2009-12-02
Published