Session Fixation Vulnerability in iDempiere WebUI v 12.0.0.202508171158
iDempiere WebUI v12.0.0.202508171158 存在会话固定漏洞,成功认证后未生成新 JSESSIONID,攻击者可利用预测或设置的会话 ID 劫持用户会话并接管账户。 2025-8-19 03:0:16 Author: seclists.org(查看原文) 阅读量:15 收藏
fulldisclosure logo

Full Disclosure mailing list archives

From: Ron E <ronaldjedgerson () gmail com>
Date: Sun, 17 Aug 2025 22:38:42 -0400
The application does not issue a new session identifier (JSESSIONID) after
successful authentication. An attacker who can set or predict a victim’s
session ID prior to login may hijack the victim’s authenticated session
once they log in, resulting in full account takeover.

POST /webui HTTP/2

Host: <host>

Cookie: JSESSIONID=node01***.node0;
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

  • Session Fixation Vulnerability in iDempiere WebUI v 12.0.0.202508171158 Ron E (Aug 18)

文章来源: https://seclists.org/fulldisclosure/2025/Aug/13
如有侵权请联系:admin#unsafe.sh