[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Session Fixation Vulnerability in iDempiere WebUI v 12.0.0.202508171158

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Session Fixation Vulnerability in iDempiere WebUI v 12.0.0.202508171158
From: Ron E <ronaldjedgerson@xxxxxxxxx>
Date: Sun, 17 Aug 2025 22:38:42 -0400

The application does not issue a new session identifier (JSESSIONID) after
successful authentication. An attacker who can set or predict a victim’s
session ID prior to login may hijack the victim’s authenticated session
once they log in, resulting in full account takeover.

POST /webui HTTP/2

Host: <host>

Cookie: JSESSIONID=node01***.node0;
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Prev by Date: [FD] CSV Injection in iDempiere WebUI 12.0.0.202508171158
Next by Date: [FD] Insufficient Session Cookie Invalidation in nopCommerce v4.10 and 4.80.3
Previous by thread: [FD] CSV Injection in iDempiere WebUI 12.0.0.202508171158
Next by thread: [FD] Insufficient Session Cookie Invalidation in nopCommerce v4.10 and 4.80.3
Index(es):
- Date
- Thread