Session Fixation in Drupal Drupal
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | N/A |
| CWE-ID | CWE-284 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Drupal Web applications / CMS |
| Vendor | Drupal |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Session Fixation
EUVDB-ID: #VU545
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote user to access other users' initial session ID.
The weakness is caused by problems with users' session regeneration during a login event. After victim's authentication attackers may use the 'fixed' session ID that allows him to obtain valid user's session.
Successful exploitation of the vulnerability results in getting access to another user's session.
Update 5.x to 5.8.
http://ftp.drupal.org/files/projects/drupal-5.8.tar.gz
Update 6.x to 6.3.
http://ftp.drupal.org/files/projects/drupal-6.3.tar.gz
Drupal: 5.0 - 6.2
CPE2.3 External linkshttp://www.drupal.org/node/280571
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
