CVE-2009-3585

Published: Dec 2, 2009Modified: Apr 23, 2026

5.8

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:N

Exploitability: 8.6 / Impact: 4.9

Source: NVD

Description

Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3.0.0 through 3.6.9 and 3.8.x through 3.8.5 allows remote attackers to hijack web sessions by setting the session identifier via a manipulation that leverages a second web server within the same domain.

Affected (40)

Products: Bestpractical: Rt

1 product

Configuration A

40 vulnerable

Vulnerable Software	Affected Versions
Bestpractical Rt	Version 3.0.10
Bestpractical Rt	Version 3.0.11
Bestpractical Rt	Version 3.0.12
Bestpractical Rt	Version 3.0.1
Bestpractical Rt	Version 3.0.2
Bestpractical Rt	Version 3.0.3
Bestpractical Rt	Version 3.0.4
Bestpractical Rt	Version 3.0.5
Bestpractical Rt	Version 3.0.6
Bestpractical Rt	Version 3.0.7.1
Bestpractical Rt	Version 3.0.7
Bestpractical Rt	Version 3.0.8
Bestpractical Rt	Version 3.0.9
Bestpractical Rt	Version 3.2.0
Bestpractical Rt	Version 3.2.1
Bestpractical Rt	Version 3.2.2
Bestpractical Rt	Version 3.2.3
Bestpractical Rt	Version 3.4.0
Bestpractical Rt	Version 3.4.1
Bestpractical Rt	Version 3.4.2
Bestpractical Rt	Version 3.4.3
Bestpractical Rt	Version 3.4.4
Bestpractical Rt	Version 3.4.5
Bestpractical Rt	Version 3.4.6
Bestpractical Rt	Version 3.6.0
Bestpractical Rt	Version 3.6.1
Bestpractical Rt	Version 3.6.2
Bestpractical Rt	Version 3.6.3
Bestpractical Rt	Version 3.6.4
Bestpractical Rt	Version 3.6.5
Bestpractical Rt	Version 3.6.6
Bestpractical Rt	Version 3.6.7
Bestpractical Rt	Version 3.6.8
Bestpractical Rt	Version 3.6.9
Bestpractical Rt	Version 3.8.0
Bestpractical Rt	Version 3.8.1
Bestpractical Rt	Version 3.8.2
Bestpractical Rt	Version 3.8.3
Bestpractical Rt	Version 3.8.4
Bestpractical Rt	Version 3.8.5

Related CWEs

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (32)

http://bestpractical.typepad.com/files/rt-3.0.0-session_fixation.v3.patch

Source: cve@mitre.org

http://bestpractical.typepad.com/files/rt-3.0.1-3.0.6-session_fixation.v3.patch

Source: cve@mitre.org

http://bestpractical.typepad.com/files/rt-3.0.7-3.6.1-session_fixation.v3.patch

Source: cve@mitre.org

http://bestpractical.typepad.com/files/rt-3.6.2-3.6.3-session_fixation.v3.patch

Source: cve@mitre.org

http://bestpractical.typepad.com/files/rt-3.6.4-3.6.9-session_fixation.v2.patch

Source: cve@mitre.org

http://bestpractical.typepad.com/files/rt-3.8-session_fixation.patch

Source: cve@mitre.org

http://blog.bestpractical.com/2009/11/session-fixation-vulnerability.html

Source: cve@mitre.org

http://lists.bestpractical.com/pipermail/rt-announce/2009-November/000176.html

Source: cve@mitre.org

Patch

http://lists.bestpractical.com/pipermail/rt-announce/2009-November/000177.html

Source: cve@mitre.org

Patch

http://secunia.com/advisories/37546

Source: cve@mitre.org

Vendor Advisory

http://secunia.com/advisories/37728

Source: cve@mitre.org

Vendor Advisory

http://www.securityfocus.com/bid/37162

Source: cve@mitre.org

https://exchange.xforce.ibmcloud.com/vulnerabilities/54472

Source: cve@mitre.org

https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00761.html

Source: cve@mitre.org

https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00794.html

Source: cve@mitre.org

https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00832.html

Source: cve@mitre.org

http://bestpractical.typepad.com/files/rt-3.0.0-session_fixation.v3.patch

Source: af854a3a-2127-422b-91ae-364da2661108

http://bestpractical.typepad.com/files/rt-3.0.1-3.0.6-session_fixation.v3.patch

Source: af854a3a-2127-422b-91ae-364da2661108

http://bestpractical.typepad.com/files/rt-3.0.7-3.6.1-session_fixation.v3.patch

Source: af854a3a-2127-422b-91ae-364da2661108

http://bestpractical.typepad.com/files/rt-3.6.2-3.6.3-session_fixation.v3.patch

Source: af854a3a-2127-422b-91ae-364da2661108

http://bestpractical.typepad.com/files/rt-3.6.4-3.6.9-session_fixation.v2.patch

Source: af854a3a-2127-422b-91ae-364da2661108

http://bestpractical.typepad.com/files/rt-3.8-session_fixation.patch

Source: af854a3a-2127-422b-91ae-364da2661108

http://blog.bestpractical.com/2009/11/session-fixation-vulnerability.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.bestpractical.com/pipermail/rt-announce/2009-November/000176.html

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

http://lists.bestpractical.com/pipermail/rt-announce/2009-November/000177.html

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

http://secunia.com/advisories/37546

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://secunia.com/advisories/37728

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://www.securityfocus.com/bid/37162

Source: af854a3a-2127-422b-91ae-364da2661108

https://exchange.xforce.ibmcloud.com/vulnerabilities/54472

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00761.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00794.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00832.html

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.