Crystal Reports Weak Sessions
- Published: 28 Nov 2006
- Type: Crystal Reports: Weak Sessions Advisory
- Severity: High
Affected Products
Crystal Reports
CVE
CVE-2006-4099
Crystal Reports makes use of a cookie value called WCSID as a session identifier. This session identifier is not sufficiently random, not does it contain enough entropy. In addition, the session identifier is not tied to a user’s IP address. This combination allows an attacker to hijack any currently authenticated users’ sessions from any location.