CVE-2009-4151 — Improper Authentication in RT

CWE-287 — Improper Authentication5 documents5 sources

Severity

5.8MEDIUMNVD

EPSS

0.4%

top 40.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Bestpractical RT

Timeline

PublishedDec 2

Latest updateMay 2

Description

Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3.0.0 through 3.6.9 and 3.8.x through 3.8.5 allows remote attackers to hijack web sessions by setting the session identifier via a manipulation that leverages "HTTP access to the RT server," a related issue to CVE-2009-3585.

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 8.6 | Impact: 4.9

Affected Packages1 packages

▶NVDbestpractical/rt40 versions+39

Patches

Patch: bestpractical.typepad.com ↗Patch: bestpractical.typepad.com ↗Patch: bestpractical.typepad.com ↗

🔴Vulnerability Details

GHSA

GHSA-pcr4-mc8q-h9h5: Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3↗2022-05-02

▶

💥Exploits & PoCs

Exploit-DB

DeluxeBB 1.3 - 'qorder' SQL Injection↗2009-03-18

▶

📋Vendor Advisories

Red Hat

rt3: web sessions hijack↗2009-11-20

▶

💬Community

Bugzilla

CVE-2009-4151 rt3: web sessions hijack↗2009-12-03

▶