Session Fixation Vulnerability in ZCC

  • 7012808
  • 09-Jul-2013
  • 10-Jan-2014


Novell ZENworks Configuration Management 11.2.3


It was possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user .


This is fixed in version 11.2.4 - see KB 7012027 "ZENworks Configuration Management 11.2.4 - update information and list of fixes" which can be found at http:////

Fixed by adding code to regenerate the session id on every login to ZCC


Root cause:The session generation was only happening at the ZCC login page and it was not being regenerated after the the initial login causing a possible window where someone could reuse the logged in session.


Security Alert

Additional Information

assigned CVE-2013-6347