Description
JRun 4.0 does not properly generate and handle the JSESSIONID, which allows remote attackers to perform a session fixation attack and hijack a user's HTTP session.
Product(s):
- Hitachi Cosminexus Enterprise 01_01_1 Enterprise Edition
- Hitachi Cosminexus Enterprise 01_01_1 Standard Edition
- Hitachi Cosminexus Enterprise 01_02_2 Enterprise Edition
- Hitachi Cosminexus Enterprise 01_02_2 Standard Edition
- Hitachi Cosminexus Server Web 01-01 1
- Hitachi Cosminexus Server Web 01-01 2
- Macromedia ColdFusion 6.0
- Macromedia ColdFusion MX 6.1
- Macromedia ColdFusion 6.1 J2EE Application Server
- Macromedia JRun 3.0
- Macromedia JRun 3.0 SP1
- Macromedia JRun 3.1
- Macromedia JRun 4.0
- Macromedia JRun 4.0 SP1
- Macromedia JRun 4.0 SP1a
Question to Ask Vendors:
- Can you confirm whether your systems are affected by CVE-2004-1478, and if so, what steps are you currently taking to mitigate this vulnerability?
- What is your estimated timeline for fully resolving CVE-2004-1478 in your products or services, and how will you communicate updates on this issue to us as your customer?
Recommended Actions:
- Check out the advisory links provided below.