Full Disclosure mailing list archives

Session Fixation Vulnerability in iDempiere WebUI v 12.0.0.202508171158

From: Ron E <ronaldjedgerson () gmail com>
Date: Sun, 17 Aug 2025 22:38:42 -0400

The application does not issue a new session identifier (JSESSIONID) after
successful authentication. An attacker who can set or predict a victim’s
session ID prior to login may hijack the victim’s authenticated session
once they log in, resulting in full account takeover.

POST /webui HTTP/2

Host: <host>

Cookie: JSESSIONID=node01***.node0;
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

Session Fixation Vulnerability in iDempiere WebUI v 12.0.0.202508171158 Ron E (Aug 18)