Skip to main content

Session Fixation

CVE-1999-0428

Severity High
Score 7.5/10

Summary

OpenSSL before 0.9.2b and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls.

  • LOW
  • NETWORK
  • NONE
  • PARTIAL
  • PARTIAL
  • PARTIAL

CWE-384 - Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

References

Advisory Timeline

  • Published