CVE-2016-9125

Revive Adserver before 3.2.3 suffers from session fixation, by allowing arbitrary session identifiers to be forced and, at the same time, by not invalidating the existing session upon a successful authentication. Under some circumstances, that could have been an opportunity for an attacker to steal an authenticated session.

Revive Adserver before 3.2.3 suffers from session fixation, by allowing arbitrary session identifiers to be forced and, at the same time, by not invalidating the existing session upon a successful authentication. Under some circumstances, that could have been an opportunity for an attacker to steal an authenticated session.

Revive Adserver en versiones anteriores a 3.2.3 sufre fijación de la sesión, al permitir que los identificadores de sesión arbitrarios sean forzados, y al mismo tiempo, al no invalidar la sesión existente tras una autenticación satisfactoria. Bajo algunas circunstancias, que podrían haber sido una oportunidad para que un atacante robara una sesión autenticada.