Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

SS-2017-006: Session user agent change detection

Severity:
Low (?)
Identifier:
ss-2017-006
Versions Affected:
3.5.5 and below, 3.6.0 to 3.6.2
Versions Fixed:
3.5.6, 3.6.3
Release Date:
2017-12-07

A security protection device in Session designed to protect session hijacking was not correctly functioning. This function intended to protect user sessions by detecting changes in the User-Agent header, but modifications to this header were not correctly invalidating the user session.

Reported by Patrick Nelson - https://catchyour.com/