Vulnerabilities > CVE-2014-9386 - Remote Security vulnerability in Zenoss Core
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL network
zenoss
Summary
Zenoss Core before 4.2.5 SP161 sets an infinite lifetime for the session ID cookie, which makes it easier for remote attackers to hijack sessions by leveraging an unattended workstation, aka ZEN-12691. <a href="http://cwe.mitre.org/data/definitions/384.html" target="_blank">CWE-384: Session Fixation</a>
Vulnerable Configurations
Statements
contributor | Zenoss |
lastmodified | 2016-03-21 |
organization | Zenoss |
statement | Addressed in versions 5.0, 4.2.5.SP273, and 4.2.4.SP854 |