CVE-2014-9386 Information

Description

Zenoss Core before 4.2.5 SP161 sets an infinite lifetime for the session ID cookie which makes it easier for remote attackers to hijack sessions by leveraging an unattended workstation aka ZEN-12691.

Reference

http://www.kb.cert.org/vuls/id/449452 https://docs.google.com/spreadsheets/d/1dHAc4PxUbs-4Dxzm1wSCE0sMz5UCMY6SW3PlMHSyuuQ/edit?usp=sharing